Lvl 21-23 all about cronjobs!
LV 21 —> 22
This was a straight-forward level with a linear problem-solving narrative.
What we know:
“A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.”
What I did with this knowledge:
First, I navigated to the /etc/cron.d directory and researched what this directory contains.
Cron reads the files in /etc/cron.d/ directory. Usually system daemon such as sa-update or sysstat places their cronjob here.
So I understand the /etc/cron.d/ directory to be files read by cron the utility.
I decided to try to run the cronjob most relevant to my goals: crontab cronjob_band22
The response was: /var/spool/cron/: mkstemp: Permission denied
Then I decided to take a look at the cron by using less which gave me:
@reboot bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
* * * * * bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
I then researched the syntax of a cronjob which is:
a b c d e /directory/command [output]
The first section (a b c d e) contains 5 field options to indicate the date/time/re-occurrence of the job.
The second section is the location and script you want to run.
The third section is optional and indicates the output.
In this case, our script is located at /usr/bin/cronjob_bandit22.sh and the output is disappeared into the void of /dev/null.
So I navigated to /usr/bin/ to read the cronjob script (yes, I'm aware I could have done this without navigating there!) and used less to see this script:
#!/bin/bash
chmod 644 /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
cat /etc/bandit_pass/bandit22 > /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
/usr/bin/cronjob_bandit22.sh (END)
I interpreted this to mean that the output to the cronjob was being saved in a file called
t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv in the /tmp folder.
I used less t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv and viola! The password is mine!
What I could have done better:
What is the difference between the file in etc and bin?
running diff /usr/bin/cronjob_bandit22.sh /etc/cron.d/cronjob_bandit22 gives a comparison:
`1,3c1,2
< #!/bin/bash
< chmod 644 /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
< cat /etc/bandit_pass/bandit22 > /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
@reboot bandit22 /usr/bin/cronjobbandit22.sh &> /dev/null
* * * * * bandit22 /usr/bin/cronjobbandit22.sh &> /dev/null`
Upon first glance, I notice that the cronjob file in bin has a .sh which means that it is a script for bash. I verified this using file /usr/bin/cronjob_bandit22.sh to see the following output:
/usr/bin/cronjob_bandit22.sh: Bourne-Again shell script, ASCII text executable
Then I used file -- * in theetc/cron.d/` directory and found that they were all just ASCII text files, not executables:
cronjobbandit15root: ASCII text
cronjobbandit17root: ASCII text
cronjobbandit22: ASCII text
cronjobbandit23: ASCII text
cronjobbandit24: ASCII text
cronjobbandit25_root: ASCII text`
This is something I could have noticed much earlier had I been either more observant of the file suffix' or used the file command to check.
LV 22—>23
A very similar level to the previous. Straight-forward, easy. This time the cronjob script that we had to understand contained:
`#!/bin/bash
myname=$(whoami)
mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1)
echo “Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget”
cat /etc/bandit_pass/$myname > /tmp/$mytarget`
At first, I thought this was super straight forward so I can the contents of the script replacing the variable myname with my current user of bandit22. I ran it through the md5sum checksum, let it be piped into the cut command to remove the extra space returned by the checksum and then printed the result of the $mytarget variable:
8169b67bd894ddbb4412f91573b38db3
According to the cronjob script, the bandit password is written into the file in /tmp/8169b67bd894ddbb4412f91573b38db3
I was VERY surprised that the result returned here did NOT work as my password! Then I realized I should have been using the username bandit23 and not bandit22 since my goal is to find the password for the next level not this level.
I went through the same steps using the correct username for the $myname variable and checked the output file in the relevant tmp folder and viola! Completed.