Bandit22 - bandit23

From JaxHax
Jump to navigation Jump to search

Level Goal

A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.


NOTE: Looking at shell scripts written by other people is a very useful skill. The script for this level is intentionally made easy to read. If you are having problems understanding what it does, try executing it to see the debug information it prints.


Solution

Like in bandit21, let's look at our cron config for some basic info.

bandit22@melinda:~$ ls -la
total 20
drwxr-xr-x   2 root root 4096 Nov 14 10:32 .
drwxr-xr-x 167 root root 4096 Mar 21 06:46 ..
-rw-r--r--   1 root root  220 Apr  9  2014 .bash_logout
-rw-r--r--   1 root root 3637 Apr  9  2014 .bashrc
-rw-r--r--   1 root root  675 Apr  9  2014 .profile

bandit22@melinda:~$ ls /etc/cron.d/
behemoth4_cleanup  cronjob_bandit23    manpage3_resetpw_job   natas-stats      natas27_cleanup  semtex0-64   sysstat
cron-apt           cronjob_bandit24    melinda-stats          natas25_cleanup  php5             semtex0-ppc  vortex0
cronjob_bandit22   leviathan5_cleanup  natas-session-toucher  natas26_cleanup  semtex0-32       semtex5      vortex20

bandit22@melinda:~$ cat /etc/cron.d/cronjob_bandit23 
* * * * * bandit23 /usr/bin/cronjob_bandit23.sh  &> /dev/null


So, it runs every minute as the user bandit23 using the script /usr/bin/cronjob_bandit23.sh. Let's see what that script does.

bandit22@melinda:~$ ls -lh /usr/bin/cronjob_bandit23.sh
-rwxr-x--- 1 bandit23 bandit22 211 Nov 14 10:32 /usr/bin/cronjob_bandit23.sh

bandit22@melinda:~$ cat /usr/bin/cronjob_bandit23.sh
#!/bin/bash

myname=$(whoami)
mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1)

echo "Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget"

cat /etc/bandit_pass/$myname > /tmp/$mytarget


So this script just uses a few variables that aren't hard to reproduce. The command whoami prints the name of the user, since this will execute as bandit23, we just drop that in line, then we can use the reset of the command to hit the file.

bandit22@melinda:~$ cat /tmp/$(echo I am user bandit23 | md5sum | cut -d ' ' -f 1)
jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n

bandit22@melinda:~$