OverTheWire Bandit Guide

here's how to solve the bandit level 21 → 22

Back to the Bandit Guides

Previous Level Guide: Bandit Level 20 → 21

Access

SSH: ssh bandit21@bandit.labs.overthewire.org -p 2220

Password: lhuhHfJEupZ1huBKD8qQohRMMrJs7aMH

Info

Description: A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
Commands: cron, crontab, crontab(5) (use “man 5 crontab” to access this)

Theory

To get the password, the instructions say that the password is in a file given to us, probably at a temporary folder or something, but it changes every now and then because of cron. For those who don't know, cron is a little program/command that lets you run files or tasks at specific times, dates, or intervals, so you could schedule a file to run every hour or a task at a specific time of the day, etc. So because I haven't done the challenge yet, we're on theory, I don't know what exactly the cron job or task is going to do to give us the password, but it'll probably be pretty simple. So I read a bit the manual pages, and I think we can do it already. All the commands we could maybe have right now, is access the cron jobs place like it says in the instructions:

ls -la /etc/cron.d/

Solution

So first of all, let's see all the cron jobs. And we can see that there are three, but we're gonna do bandit22 because we haven't gotten to the other ones, which are for future levels:

~$ ls -la /etc/cron.d/
total 44
drwxr-xr-x   2 root root  4096 Sep 19 07:10 .
drwxr-xr-x 121 root root 12288 Sep 20 18:37 ..
-rw-r--r--   1 root root   120 Sep 19 07:08 cronjob_bandit22
-rw-r--r--   1 root root   122 Sep 19 07:08 cronjob_bandit23
-rw-r--r--   1 root root   120 Sep 19 07:08 cronjob_bandit24
-rw-r--r--   1 root root   201 Apr  8  2024 e2scrub_all
-rwx------   1 root root    52 Sep 19 07:10 otw-tmp-dir
-rw-r--r--   1 root root   102 Mar 31  2024 .placeholder
-rw-r--r--   1 root root   396 Jan  9  2024 sysstat

If we read the bandit22 cron job, we can see where the bash file is located and how often it gets executed:

~$ cat /etc/cron.d/cronjob_bandit22
@reboot bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
* * * * * bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null

The five stars indicate that it is being executed every minute, so this means we have to go fast before it changes, so we follow the bash file link:

~$ cat /usr/bin/cronjob_bandit22.sh
#!/bin/bash
chmod 644 /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
cat /etc/bandit_pass/bandit22 > /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv

Looking at this file, we can conclude that it first gives reading permissions to everyone in a temporary folder, and it copies the password there. So we just need to go to this temporary file and read it, with cat for example:

~$ cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
OUfP00mkVlHLfrTOC1Jq3yhSLCePOyIo

And that's the password! Now we should be good to go to the next level.

https://overthewire.org/wargames/bandit/bandit22.html
Next Level Guide: Bandit Level 22 → Level 23

Explore My Website