AlfaLogic

Veni, Vidi, Vici!

BanditOverTheWire

Bandit24

alfamyk

Website URL: http://overthewire.org/wargames/bandit/bandit24.html

 

Let’s log into the game server as bandit23.

Fig 1.

Task for this one:

A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
NOTE: This level requires you to create your own first shell-script. This is a very big step and you should be proud of yourself when you beat this level!
NOTE 2: Keep in mind that your shell script is removed once executed, so you may want to keep a copy around…

As with the previous two levels, let’s see the cron.d directory contents

ls /etc/cron.d
Fig 2.

It seems that cronjob_bandit24 is the relevant file. Let’s see its contents.

Fig 3.

Now let’s look at this script.

cat /usr/bin/cronjob_bandit24.sh
Fig 4.

Analyzing the script, it’s operation is as follows:

  • Assigns the result of whoami command to myname
  • Executes the scripts in /var/spool/$myname directory
  • Deletes the file after execution has completed or the script has timed out

By the above analysis, it might be unclear at first as to how this script can be used to obtain the password. Well, I’ll draw your attention to the fact that the value of myname variable will be bandit24.

So that means all the scripts are being executed in /var/spool/bandit24 directory with the permissions of bandit24. So, it follows that if, somehow we are able to place a script in that particular directory, it would be executed. And if the script displays the password for bandit24, we can solve the task!

The script that we will place in the directory should be able to get the password from /etc/bandit_pass/bandit24 and dump its contents in a directory that we have access to.

But before all that, we need to get to a directory where we have write access, so that we can create the script file. Users can create a directory in /tmp/ 

mkdir /tmp/bandit24solving2018
cd /tmp/bandit24solving2018
Fig 5.

Now we formulate the script.

#!/bin/bash

cat /etc/bandit_pass/bandit24 > /tmp/bandit24solving2018/log

Save this in a file, I did it as script.sh and now moving it to the /var/spool/bandit24 directory

chmod 777 script.sh
chmod 777 .
cp script.sh /var/spool/bandit24/

Now we just wait till the log file appears in the current directory. According to what we saw in the cronjob, it shouldn’t take long. After a few seconds, we see the log file appears in the directory. Now, all that remains is to see it’s contents.

Mission accomplished!

You May Also Like

Bandit1

alfamyk

Bandit11

alfamyk

Bandit14

alfamyk

Leave a Reply

Your email address will not be published. Required fields are marked *