posts/overthewire/bandit/level24/

[utterances-bot]

OverTheWire Bandit Level 23 -> 24 - Walkthrough - MayADevBe Blog

A walkthrough of Level 23 -> 24 of the Bandit wargame from OverTheWire. - Cronjobs and bash scripting.

https://mayadevbe.me/posts/overthewire/bandit/level24/

[953598096]

The passwd is wrong.I met some difficulties, I can't creat shell in /var/spool/bandit24. Can you help me?

[MayADevBe]

@953598096 It is possible, that the password has been changed since this write-up is from last year. I'm unsure if I can help you when I don't know what you have done. Make sure, you don't have a spelling mistake and all the permissions are given and wait for a minute to get the result. If this does not work, maybe write me an email, with more detail on your problem and I can try to help you. (You can find it on the about page).

[djrfree]

I had to use the chmod 777 command with the -r. This changed the permissions (before copying) from -rwxrwxr-x to -rwxrwxrwx.

[MayADevBe]

@djrfree Normally, chmod 777 gives all permissions, and the r parameter gives/removes only read permissions, which shouldn't have effect on the write permission. But good if this worked for you.

[liviuspiroiu]

I had issues with this level, I tried a similar solution before arriving to this page, then followed the instructions here step by step, but the password file was always empty regardless of the permissions. So my solution was to make the script create a folder in the temp one with the password. So, in the bandit24_pass.sh I changed the cat command with this:

mkdir -p /tmp/tmp.qylmId2Ser/$(cat /etc/bandit_pass/bandit24) and it worked.

I don't know where the problem was but I leave this here if someone has the same issue.

[lewi0231]

Yes, I'm having a similar issue with this one. My permissions seem to be set but never seems to be copying into the file. Tried liviuspiroiu's solution and that didn't work either. :P

[MayADevBe]

@lewi0231 It's hard to tell for me, what might be the problem. Since I wrote the write-up, the level was slightly changed, have you read my edit comment at the end, maybe you need to check if there were some other slight changes to the level.

[nandurijv]

Had the same problem as @lewi0231, the trick was to use echo $(cat /etc/bandit_pass/bandit24) > tmp/tmp. and it worked :)

[oslfmt]

I used the "cat" command in the script, same as what was written in the original post. I messed around and tested a lot with the permissions though, to try to find the minimum set of permissions. I only set permissions on the "other" group since all the affected files (/tmp/tmp.xyz, bandit24_pass.sh, password) all belong to "bandit23" group and the script is executed by bandit24.

Anyways I think the minimum set of permissions is this: password - w bandit24_pass.sh - r,x /tmp/tmp.xyz - x

Remember that the user that will be actually executing your script (bandit24_pass.sh) is bandit24. It's pretty intuitive why password just needs the write permission. For the script, you clearly need to allow bandit24 to execute it. But you also need the read bit since this is a shell script, which is a text file, so you need read permissions. You can only execute binary files with just the execute permission. And finally for /tmp/tmp.xyz, you just need the execute permission because for directories, execute essentially allows the user to access files and directories inside. The write bit is just for creating, renaming, and deleting files, according to this.

[oslfmt]

Also if you create in script in /var/spool/bandit24/foo/ and name it something generic like "script.sh" or "myscript.sh" then there's a chance someone else created the same script and it hasn't been deleted yet, so you'll already see text inside the script. This happened to me a couple times. I guess they haven't really bothered with concurrent access issues.

[virtualimpure]

yup, they changed aded a dir, add "foo"

so command should be : cp bandit24_pass.sh /var/spool/bandit24/foo/bandit24_pass.sh

[personguy]

No matter how much I re-read the cron and crontab manuals, I still haven't gotten my head around the timing/instantiation of these cronjobs relative to the currently logged-in user, e.g. specifically why it was understood that we only needed to wait a minute for the cronjob to kick in and run that .sh file. Are the cronjobs in cron.d simply running every minute (as opposed to the ones in monthly, weekly, daily, etc.)?

I feel like I understood everything else about this challenge, and what needed to be done was pretty clear, but I kept asking myself "How do I get bandit24 to run its cronjobs..?" ... and after reading a couple walkthroughs it seems like it's simply understood that these are happening automatically.

My understanding from the cron man is that the @reboot indicates the cronjob runs on reboot, and I figured that meant when either the server rebooted or when the relevant user logged in, but I'm clearly missing something.

[MayADevBe]

@personguy Hi, so to my knowledge the user is not really playing a role in cronjob timing. By default, it is UTC, even if for a user it might be different (see: https://serverfault.com/questions/791713/what-time-zone-is-a-cron-job-using). So yes, you can simply assume that the cronjob runs every minute - especially because it wouldn't really matter what time/user it depends on. If you create the script you have a maximum of one minute to wait, depending on when the job was last run. For a machine/server, even if a user is not logged in (or just logged out), the machine is still running - reboot reverse to really shutting down and starting the machine/server. So user login/logout are irrelevant for this cronjob.

Hope this helps!

[personguy]

@MayADevBe Thanks for the follow-up. That's pretty wild, if I'm understanding correctly. Because if I run the cronjob_bandit24.sh script (as bandit23) I can see the script running, which shows it trying to execute then remove all 1,154 files, the majority of which look like command line tools.

So that would mean this server, which has been up for 4+ years, regardless of anyone being logged in, has been executing and removing 1K files as bandit24 once a minute for that whole time. That seemed so preposterous to me that it helped me (mistakenly) think "There must be a way to manually kick in the cronjob for bandit24". I guess it is what it is. Someone's hard drive is taking a beating, ha!

For what it's worth, after further googling I think I've confirmed that the 5 asterisks in the cron file basically boil down to "run every minute" (in fact "run every minute of every day of every week of every month of every year"). To me, the crontab(5) man only implies this, without actually coming out and saying so explicitly, so for a noob like me it was hard to trust that this was the case.

E.g. first it says:

The time and date fields are: minute 0-59 / hour 0-23 / day of month 1-31 / month 1-12 / day of week 0-7 A field may be an asterisk (*), which always stands for "first-last".

Then later says:

These special time specification "nicknames" are supported, which replace the 5 initial time and date fields, and are prefixed by the '@' character: @reboot : Run once after reboot.

Which made me think that the @reboot overruled whatever time designation (including an asterisk) had been set.

Anyway, thanks for this great walkthrough. I'm trying to only use it after exhausting all my ideas/googling, and between the two I'm learning a bunch. Cheers.

[kodpein]

Sneaked into their Discord they said there's some connection bug so it might sometimes stop sending (or blocked? I don't know how to describe it, pardon me) the password to this machine/level, so this one needs a little bit of persistence in spamming the password copying script and cat command.

If you're too lazy to spam two commands every minute at the same time just bundled it by making another simple script where executing the password copying script and cat command done at the same time so you'll only need to spam once every minute. Hope this helps.

[BoPann]

A little update. The solution works for me except you need to tweak the copy file path because they have added a new directory called 'foo' It looks like this: cp bandit24_pass.sh /var/spool/bandit24/foo/bandit24_pass.sh