Level goal: A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.

NOTE: This level requires you to create your own first shell-script. This is a very big step and you should be proud of yourself when you beat this level!

NOTE 2: Keep in mind that your shell script is removed once executed, so you may want to keep a copy around…

As usual for levels which require us to write, you have to create your own file directory in /tmp and then create a script which output the password file there, and then move it over to the /var/spool/$myname directory

Script:

#!/bin/sh
cat /etc/bandit_pass/bandit24 >> /tmp/kongwenbin23/bandit24pass

Important: remember to change the permission of your script before copying it to the /var/spool/bandit24 folder or it will not be run by the bandit24 account. It took me a few tries to notice it.

The scripts in /var/spool/bandit24 will be run once and then purged away every minute.

The password to gain access to the next level is UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ.

—-

Fun fact: you can solve this level using the exact same method as the previous level, must have been a “loophole”…

Level goal: A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.

NOTE: Looking at shell scripts written by other people is a very useful skill. The script for this level is intentionally made easy to read. If you are having problems understanding what it does, try executing it to see the debug information it prints

Like what we have done in the previous level, let’s navigate to the /etc/cron.d path and check the cronjob files.

Notice that cronjob_bandit23 is will be running the /usr/bin/cronjob_bandit23.sh script? Let’s view its content.

bandit22@melinda:/etc/cron.d$ cat /usr/bin/cronjob_bandit23.sh
#!/bin/bash

myname=$(whoami)
mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1)

echo "Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget"

cat /etc/bandit_pass/$myname > /tmp/$mytarget

 

Yes, you have guessed correct. When this script is being run, it will write the currently logged-on user’s password into a file.

The file name is basically a md5 hash of “echo I am user bandit22 | md5sum | cut –d ‘ ‘ –f 1”

Since we need the password of bandit23, let’s manually run the hash and use its hash as the directory name. The password might be there, provided that someone with the bandit23 credentials has already ran this script (they probably have).

The password to gain access to the next level is jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n.

Level goal: A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed

This level is very simple, as hinted by the clue, just navigate to the /etc/cron.d directory and look for the files, you will noticed the cronjob_bandit22 files.

When opened to view the content of the cronjob, it seems that the job basically triggers a script located at /usr/bin/cronjob_bandit22.sh

To more accurately grep the files and read its content, we can perform the following grep,

ls -l | grep cronjob

Below are the list of files.

Since cronjob_bandit22.sh is the only file which is related to this level, let’s view its content.

bandit21@melinda:/usr/bin$ cat cronjob_bandit22.sh
#!/bin/bash
chmod 644 /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
cat /etc/bandit_pass/bandit22 > /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv

Now we know that the password is stored in the /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv

bandit21@melinda:/usr/bin$ cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI

The password to gain access to the next level is Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI.

Level goal: There is a setuid binary in the homedirectory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21).

NOTE: To beat this level, you need to login twice: once to run the setuid command, and once to start a network daemon to which the setuid will connect.

NOTE 2: Try connecting to your own network daemon to see if it works as you think

 

In this level, basically we need to setup a listener service to listen on any port, and then use the binary submit this level’s password to it. If It is correct, it will provide the password to the next level.

First, let’s check what are the ports opened.

Now you setup your own listener which echo the current level password when any clients connected.

Now you setup another terminal and try to check if the service is there (of course it will be there) and perform testing by trying to connect,

Notice that nmap port scan has detected the service at port 60000 which you have set up in the other terminal? Now, use the suconnect binary to establish connectivity to port 60000

Password matches, now the next password is sent to the server listener.

The password to gain access to the next level is gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr.

Level goal: To gain access to the next level, you should use the setuid binary in the homedirectory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used to setuid binary.

In this level, we will be working on a file which has its setuid set.

bandit19@melinda:~$ file bandit20-do
bandit20-do: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=08e74b8e092a91103efaab7916d75f08b887ab4d, not stripped

It’s interesting because it allows us to run a command or do anything as bandit20.

bandit19@melinda:~$ ./bandit20-do
Run a command as another user.
Example: ./bandit20-do id
bandit19@melinda:~$ ./bandit20-do cat /etc/bandit_pass/bandit20
GbKksEFF4yrVs6il55v6gwY5aVje5f0j

The password to gain access to the next level is GbKksEFF4yrVs6il55v6gwY5aVje5f0j.