Bandit Level 23 to Level 24

Create and run a shell script.

Host name is: bandit.labs.overthewire.org 
User: bandit23
password: jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n

Goal: A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.

Commands used for this level:
ls -l - List information about all the file's and use a long listing format.
cat - used to view contents of a file.
whoami - print effective userid
mkdir -
cd - 
vim - 

Step 1.
Just like the last two levels we need to view /etc/cron.d/ directory.
Type ls -l /etc/cron.d/

Step 2. 
We see a cronjob_bandit24 file so let's do a cat on it.
Type cat /etc/cron.d/cronjob_bandit24
We get bandit24 /usr/bin/cronjob_bandit24.sh as our output so lets take a look at what this script does.


Step 3.
Type cat /usr/bin/cronjob_bandit24.sh 

myname=$(whoami)

cd /var/spool/$myname
echo "Executing and deleting all scripts in /var/spool/$myname:"
for i in *;
do
    echo "Handling $i"
    ./$i
    rm -f $i
done

Step 4.
Looks like we have another script that sets uid to myname and executes and deletes all scripts in /var/spool/$myname.
Let's run the script and see what happens.
Type  /usr/bin/cronjob_bandit24.sh 

/usr/bin/cronjob_bandit24.sh: line 5: cd: /var/spool/bandit23: No such file or directory
Executing and deleting all scripts in /var/spool/bandit23:
Handling *
/usr/bin/cronjob_bandit24.sh: line 10: ./*: No such file or directory


Step 5.
Looks like the script changes to the directory /var/spool/bandit23 then executes and deletes all scripts but none are found. Let's create a script but put it in /var/spool/bandit24 that will cat the password file from where we have seen our passwords stored at /etc/bandit_pass/bandit24 out to a directory we will pick. By putting the script in bandit24 directory it will assign the myname to this script as uid of bandit24 who happens to have permission to cat this file. We currently do not have permission to cat that file being we are logged in as bandit23.

Type mkdir /tmp/bandit24
Hmm thats strange it says mkdir: cannot create directory '/tmp/bandit24': File exists
Okay lets cat that file.
cat /tmp/bandit24 and like that we have our password for the next level UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ

This is obviously an error in the way this challenge is setup but it is cool to see you can sometimes accomplish your goal by just snooping around a bit when you find something that doesn't seem right. This file must have been created by another user and I guess all user have access to other users of overthewire files they create.

Let's continue our goal of creating a script and having it run.

Step 6.
Type mkdir -p /tmp/hxjump  Your directory my still be there from previous levels if they have not reboot the server. The dash p will keep you from getting errors if the file exists already.

Then let's change to our directory and create our script.
cd /tmp/hxjump

Step 7.
Now let's create our script
vim bandit24.sh
Once in vi press a and copy and past the above and change our uid like below.
#!/bin/bash

cat /etc/bandit_pass/bandit24 >> /tmp/hxjump/level24

Pree Esc key to exiting editing mode and then type :wq

Step 8.
Now set read, write, and execute permissions on our file with chmod 777 bandit24.sh

Step 9.
Now we need to copy our script over to /var/spool/bandit24
cp bandit24.sh /var/spool/bandit24 
The script will auto run because of cron, you may need to wait a minute before the next step shows our file.


Step 10.
Apparently this level appears to be broken as I can see my script is copied to /var/spool/bandit24 and after a minute is deleted from the /var/spool/bandit24 directory but no file is ever created in my tmp/hxjump directory. I have looked at other solutions and they all did basically the same thing I did for a script. At least I have the password for the next level. Maybe i'll come back to this level sometime if they ever fix it.