bandit 23: linux permissions, a lengthy first foray

January 3, 2022

#bandit #bash #scripting #permissions #cron

What we know:

We will be writing a shell script
This shell script is removed once executed, meaning that there is likely a script that will remove our script
The script file that the cronjob relevant to this level is located here: /usr/bin/cronjob_bandit24.sh and contains:

#!/bin/bash

myname=$(whoami)

cd /var/spool/$myname echo "Executing and deleting all scripts in /var/spool/$myname:" for i in * .*; do if [ "$i" != "." -a "$i" != ".." ]; then echo "Handling $i" owner="$(stat --format "%U" ./$i)" if [ "${owner}" = "bandit23" ]; then timeout -s 9 60 ./$i fi rm -f ./$i fi done

What to do with what we know:

First, let's understand the cronjob_bandit24.sh script:

#!/bin/bash indicates which shell program will be used to interpret the script — in this case: bash (Bourne Again Shell).
An variable is initiated and saves the results of the whoami command. (To verify that the current user is bandit23, I ran the whoami command inside of the directory where the script is located.) We navigate to a directory based on this variable: `/var/spool/bandit23'
A loop will initiated through all the files in this directory and for the files that are not equivalent to . or .., we (1) save data from the stat command regarding the file into the variable owner then we (2) check if the file owner is bandit23 and if so, (3) the file is deleted after 60 seconds.

(There's more but these are the most crucial steps to understand for our goals.)

So I attempted to navigate to the bandit23 directory (/var/spool/bandit23/) and received the error message that: -bash: cd: bandit23: No such file or directory

Going back one step into /var/spool/, I discovered that bandit24 exists as a directory. What does this mean?

Mistake 1: Checking Permissions

I thought that the /usr/bin/cronjob_bandit24.sh permissions could be checked from running whoami from the /usr/bin directory in which the file was found. Of course this is not true because whoami checks the current user and not the file. I knew this but I didn't pause to consider what exactly I was checking for when I mindlessly ran whoami. This error is silly, I should have been more mindful as to exactly what I am asking the computer to do in every command I make.

So to check the owner of the script in question, I ran: ls -alh cronjob_bandit24.sh

-rwxr-x--- 1 bandit24 bandit23 376 May 14 2020 cronjob_bandit24.sh

This means the script cronjob_bandit24.sh belongs to owner bandit24 and group bandit23. Now it makes sense that /var/spool/bandit23/ did not exist.

Back on track

I navigated into bandit24 directory and attempted to make a temporary directory only to discover that tmp already existed. (ls was denied.) Inside of tmp, I create a script that copies the password file from where it's located into where I can access it as bandit23.

!#/bin/bash cp /etc/bandit_pass/bandit24 /tmp/emin/pass

Then I created the directory tmp/emin/ and the file pass.

I moved a copy of the script into the relevant directory (/var/spool/bandit24') and waited for my password to appear in/tmp/emin/pass` but it never did!!

MISTAKE 2: Permissions Denied

I tried to execute my script myself using the command:

bash /var/spool/bandit24/tmp/lumpo.sh (yes, that's my script name..) and received the error message:

cat: /etc/bandit_pass/bandit24: Permission denied

I wasn't sure where exactly the error was triggered: was it the execution of the cat command on the original password file or was it the act of writing it onto the file I created? So I decided to check permissions on the files:

My script file is owned by bandit23. My script is run by a server-provided script (/usr/bin/cronjob_bandit24.sh) owned by bandit24.

It needs to read a file owned by bandit24 and write its contents into the file I created and therefore owned by bandit23. This means that the file owned by bandit24 must have permissions for user bandit24 to read its contents and the file I created must have permissions for user bandit24 to write its contents. The assumption I'm making is that because my script file is run by another script file owned by bandit24, it will belong to that user? FOLLOW UP

Checking permissions for the original password file: ls -alh /etc/bandit_pass/bandit24 gives me this information:

-r-------- 1 bandit24 bandit24 33 May 7 2020 /etc/bandit_pass/bandit24

I know that each file or directory has three permission types: read, write, execute. According to the Linux docs:

The first character is the special permission flag that can vary.
The following set of three characters (rwx) is for the owner permissions.
The second set of three characters (rwx) is for the Group permissions.
The third set of three characters (rwx) is for the All Users permissions.
Following that grouping since the integer/number displays the number of hardlinks to the file.
The last piece is the Owner and Group assignment formatted as Owner:Group.

An example: _rwxrwxrwx 1 owner:group

So we can conclude that since the original password file can be read by the owner that runs it, this not the source of the problem.

Checking permissions on my file ls -alh /tmp/emin/pass gives:

-rw-r--r-- 1 bandit23 root 0 Jan 3 20:38 /tmp/emin/pass

This means that only the owner (bandit23) can read and write to this file. Otherwise, it is read-only.

So I ran chmod 777 on the file which gives full permission to access the file and verify that it is so: ls -alh /tmp/emin/pass

-rwxrwxrwx 1 bandit23 root 0 Jan 3 20:38 /tmp/emin/pass

Now if I try the script again, it should work! ALAS IT DID NOT!!!!!

Now questioning whether the permissions for the directory containing the file needed also to be changed? So I ran the same chmod 777 command recursively from the /tmp/emin directory.

STILL DIDN'T WORK!!!!

The only other file that does not have full permissions and that I have the ability to change is my script. So I changed it to full permissions and it worked. But why?

What is the difference between this file having full permissions:
-rwxrwxrwx 1 bandit23 bandit23 59 Jan 3 20:35 lumpo.sh

Vs. read-only permissions?
-rw-r--r-- 1 bandit23 bandit23 59 Jan 3 21:33 lumpo.sh

Remember that this file contains the script that copies the password from the bandit24 file to my file: cp /etc/bandit_pass/bandit24 /tmp/emin/pass

Why would my script need write permissions?! This doesn't make sense...

Follow-up Questions:

What are the usage differences between a (POSIX) shell and bash?
Why did cp but mv and cat work? Are there permissions blocking copying files on this server? Likely.

What I learned:

PERMISSIONS COME FIRST.