Bandit21 - bandit22

From JaxHax
Jump to: navigation, search

Level Goal

A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.


Solution

This challenge is just testing if you can read a cron config and a bash script. Once you understand these two things it's trivial to complete this level. First let's take a look at the cron config we are interested in.

bandit21@melinda:~$ ls -la
total 24
drwxr-xr-x   2 root     root     4096 Nov 14 10:32 .
drwxr-xr-x 167 root     root     4096 Mar 21 06:46 ..
-rw-r--r--   1 root     root      220 Apr  9  2014 .bash_logout
-rw-r--r--   1 root     root     3637 Apr  9  2014 .bashrc
-r--------   1 bandit21 bandit21   33 Nov 14 10:32 .prevpass
-rw-r--r--   1 root     root      675 Apr  9  2014 .profile
 
bandit21@melinda:~$ ls /etc/cron.d/                
behemoth4_cleanup  cronjob_bandit23    manpage3_resetpw_job   natas-stats      natas27_cleanup  semtex0-64   sysstat
cron-apt           cronjob_bandit24    melinda-stats          natas25_cleanup  php5             semtex0-ppc  vortex0
cronjob_bandit22   leviathan5_cleanup  natas-session-toucher  natas26_cleanup  semtex0-32       semtex5      vortex20
 
bandit21@melinda:~$ cat /etc/cron.d/cronjob_bandit22
* * * * * bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null


so the cron job runs every min as the user bandit22 and invokes the command /usr/bin/cronjob_bandit22.sh. Let's look into what the bash script is doing.

bandit21@melinda:~$ ls -l /usr/bin/cronjob_bandit22.sh
-rwxr-x--- 1 bandit22 bandit21 130 Nov 14 10:32 /usr/bin/cronjob_bandit22.sh
 
bandit21@melinda:~$ cat /usr/bin/cronjob_bandit22.sh 
#!/bin/bash
chmod 644 /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
cat /etc/bandit_pass/bandit22 > /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv


So that script is dumping the password into a file /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv. We can try to cat the file and get the password since it is readable to everyone (chmod 644 = rwxr-xr-x)

bandit21@melinda:~$ cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI
 
bandit21@melinda:~$