OverTheWire Bandit Level 23->Level 24 - Walkthrough
OverTheWire Bandit Solutions
Introduction
In this post, I will be giving you a walkthrough to the Bandit wargame Level 23->Level 24. This level requires cron knowledge from previous levels. We will create our first shell script in this level to get the password.
Goal
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
Login Details
Server - bandit.labs.overthewire.org
Port - 2220
Username - bandit23
Password - QYw0Y2aiA672PsMmh9puTQuhoz8SyR2G
Theory
The script executed in this level uses for loop and other commands which are required to be understood in order to clear the level. The for loop is used to iterate through a set of values and uses the iterating variable to perform action on the values. The script in this level uses for loop to iterate through all the files.
stat is another command used in the script. It is used to display detailed information about a file or a file system. Syntax for stat command is "stat [options] [filename]". It is used with the options "%U" which is used to get the username of owner and "--format" which is used for customizing the output instead of using the default output format.
timeout command is used in the script which runs a specified command for a set duration of time and then terminates it. Its syntax is "timeout [time] ./scriptName.sh"
Solution
SSH into the user bandit23 using the command "ssh
bandit23@bandit.labs.overthewire.org -p 2220" and the above password.
Navigate to the directory /etc/cron.d and see the files present. We will check
specifically "cronjob_bandit24" for this level. Type the commands-:
- cd /etc/cron.d
- ls
- cat cronjob_bandit24
Lets understand the script line by line-:
- The script runs through all the files in the folder "/var/spool/bandit24/foo" and deletes the files whose owner is bandit23. The output of the command whoami gets stored in the variable called myname(The script is executed by bandit24, therefore the variable will have the value bandit24).
- The working directory is changed to /var/spool/bandit24/foo.
- A for loop is used to iterate through all the files in the current directory and a check is made using the if statement to see if the current selected file is called '.' or '..'. If not, then rest of the code is executed. ('.' means current directory and '..' means parent directory)
- The name of the current file is printed and the owner information is stored in the variable "owner".
- Another check is made to see if the owner of the selected file is "bandit23" or not. If yes, then the selected file is executed and deleted after 60 seconds as a KILL signal is sent.
We will create a folder in the /tmp directory and use that as the base location for all further operations. Type the below commands-:
- mkdir /tmp/temporary24
- cd /tmp/temporary24
In the newly created folder, create a file called script.sh using the nano editor. Type "nano script.sh" and write the below code in the file-:
#!/bin/bashcat /etc/bandit_pass/bandit24 > /tmp/temporary24/password
Press ctrl+O -> Enter -> ctrl+x to save the file.
We will create another file named "password" as the script will paste the password for bandit24 in this file. Type the command "touch password" to create the file.
Now, we will set the permissions for /tmp/temporary24 directory so that when the script tries to copy the password in the file "password", it does not fail. Type the command "chmod 777 /tmp/temporary24" and then type "chmod 777 password".
Finally, copy the script to the folder /var/spool/bandit24/foo from where the cron job will execute it. Type the command "cp script.sh /var/spool/bandit24/foo/script.sh"
After waiting for a minute, type the command "cat password" to get the password.
This completes Level 24 walkthrough. Please post your questions and doubts in the comment section.
Comments
Post a Comment