1. Home
  2. Training Library
  3. Programming
  4. Programming Courses
  5. Penetration Testing and Privilege Escalation with Bandit

Bandit Cron Advanced

Contents

keyboard_tab

The course is part of this learning path

Start course
Overview
Difficulty
Intermediate
Duration
3h 8m
Students
48
Ratings
5/5
starstarstarstarstar
Description

This course will walk you through a variety of exercises and techniques as part of a capture the flag (CTF) game called Bandit. This will make sure that you have the necessary skills in Linux in order to excel in penetration testing and privilege escalation.

Transcript

Hi, within this lecture, we're going to go into the level 24 and so much more if we have time. So far, we are in the level 23 and again, I believe this is about cronjobs one more time. As you can see, it asks us to go into the cron. As you can see, there is nothing over here so I'm going to go into etc/cron.d and see what is this about. So, I'm going to run ls -la and here we go. Now, we have covered the bandit 22, 23 and now we want to take a look at the cronjob bandit24. So, I'm going to cat this out. I'm going to say cat cronjob bandit24 and here we go. We have again a bash script over there, so we want to see what's inside of this one. So, I'm going to copy this /usr/bin/cronjob bandit24.sh and I'm going to cat this out to see what it contains and here we go again, this is a bash script. We see the shebang, we see some kind of variables and all other commands. Now, this level requires us to create our own first shell-script and this is a very big step and we should be proud apparently of ourselves when we beat this level. So, keep in mind that your shell-script is removed once executed, so you may want to keep a copy around. So, this is good. So, we're going to write apparently our first shell-script. So, you don't have to know anything about shell scripting I believe in order to complete this because shell scripting is kind of running commands in the terminal in a way, but it's much more complex if we actually want to do more complex things, but we're going to keep it simple anyway. So, let's try to take a look at this and try to understand what it's doing over there. So, again we have a myname which is the whoami which is bandit24 at this point, right? If we run whoami

it will give us the bandit23 but it will be run by the bandit24 so myname will be bandit24 in this case. Then we're going to go into /var/spool/bandit24, okay? And we can try to cd into that and try to run all of those things. So, let me go into /var/spool/bandit24. Not cv but cd, let me come over here and let me try to run ls -la. Here we go, we cannot see what's inside of this because I believe it can be read by the bandit24. We are bandit23 at this point. So far, so good. Actually it's not good because we cannot see what's inside of that folder, so we're going to have to think about it a little bit. Now we're going to say echo, "Executing and deleting all scripts in var/spool/$myname:" So, I believe we're going to execute some of the scripts and then we're going to delete it and we're going to see if that's really the case. So, we have a for loop over here, so if you know Python then you know what a for loop is. It's kind of a loop, it's actually literally a loop that goes on and on until a condition is met, okay? So, in this case, for i in * means just for the old scripts or all files in that folder, okay? For i in * . *. So, i will stand for every individual file on that folder, okay? So, for every individual file on that folder, we're going to do some things. So, this is the thing that we're going to do. So, again, i stands for the individual file in that folder. So, over here it checks something, okay? So, this is the if blog. If the condition is met, then it's going to execute the following commands and in this case I believe it's checking to see if it's a file and then it says that the owner of that file. If the owner of that file is bandit23, then it's going to do something, okay? So, it's going to give us a timeout. I believe it's for 60 seconds and then it's going to execute that file as you can see this is for executing. Again, ./$i means that, ./ means running and $i stands for the individual file in that folder. So, what it's basically doing over here is that deleting that file. So, it's going to find every file in that folder, okay? Basically, it's going to execute it and it's going to delete it. So, what we know over here is that if we can know what's going to happen in that folder, what's going to be placed in that folder, it's going to be executed and then it's going to be deleted. So, I believe it's asking us to write a command or write a bash script to put in that folder, if we can write that folder obviously. If we can put something in that folder, it's going to be executed and then it's going to be deleted. I don't care if it's going to be deleted or not, but if I can execute something on that folder, it will be executed as if it's a bandit24 because it's the cronjob of bandit24, and I believe we can write something over there because it's checking to see if the owner is bandit23 even though it's a bandit24. So, I'm going to copy this shebang, okay? I'm just going to start writing my own bash script and show you what I mean because it's going to take some time, I believe. Okay, I cannot type anything right now. I believe I lost my connection. Okay, I'm just going to close this down and just ssh into that thing one more time. We already have the password over here, I just have to just take the password and connect it one more time. So, if you come across in a situation like this, you already have the passwords, you can connect it one more time. So, let me try one more time, paste the password. I believe we couldn't get it in a proper way, let me try one more time. I'm going to say copy selection, I'm going to come over here and say paste selection and here we go. We are inside of bandit23. So, I'm going to cd into /etc/cron.d one more time, okay? So, we have the cronjob bandit24. So, if we cat this bandit24, we will see the sh file. I'm going to cat this one more time in order to see what's going on over there. So far, so good. So, I'm going to actually try to write my own bash script right now. So, after writing my own bash script, I'm just going to try and put it into the target folder, okay? So, I believe we cannot see the bandit passed at this point. So, if we try to go into bandit23, it will be displayed to us but if we go to bandit24, it won't be displayed to us. But if we can actually run this command with our bash script, it will be executed and we can get the password back because it will be executed as bandit24, right? All we have to do is just make sure we put it in the var/spool/bandit24 folder. So, what we're going to do, we're going to create a bash script. So, let me try to create a bash script in the tmp folder because we have write permissions over there. If I run ls there's nothing over here, I'm just going to make a folder called atil, okay? You can create any folder you want under tmp directory, and over here I'm just going to try and write some file, write something like a cronjob or bash script file. I'm going to use nano if we have nano over here, so let's try and use nano. I'm just going to say test.sh, nano test.sh. So, you can just name it anything you want and it gives us this error permission denied and it takes us to something like this. So, what is that? I'm going to exit out of that by hitting 'Ctrl X'. Let me try some other name over here, myscript.sh. So, here we go, I believe test.sh was taken for some reason, okay? Let me try to save this, 'Ctrl O', 'Enter' and 'Ctrl X'. 'Ctrl O' 'Enter' and 'Ctrl X' but we cannot overwrite that. We cannot save it for some reason. I'm going to name it myscript.sh. I'm going to say yes. But here we go. We cannot do anything with nano for some reason. So, let me try to create another file. Maybe there's something wrong with nano. I don't know. Maybe we can use something like a vim, but if you haven't worked with vim before, it might be hard for you to keep up. Maybe we can do something else like just echoing; just echo something into some file, right? Let me go into TMP folder. Let me go into... Let me create another folder like atil123 or something like that. Okay?  And maybe there is something wrong with that specific folder. I don't know. I'm just trying. Let me go into atil123. And let me try to run ls. Yeah, there's nothing wrong over here. I'm just going to go for nano one more time and try if this works or not; nano myscript.sh.  Okay? Now, again it says that, Unable to create directory. If I hit 'Enter', it will open but it won't save anything. So, I believe there is something wrong with nano itself. So, what should we do? We should go for something else than nano. Again, we can go for vim or we can go for anything else like just echo, the comments into a file. First of all, we need to know what we're going to be executing in that bash script, right? So, we're going to execute, cutting out the result of bandit_pass/bandit24. So, let me try to echo test into myscript.sh. Yeah, I believe this works. Let me see. Let me run cat myscript.sh. And here you go, it works. So, we can echo something; at least we know that. Let's try to echo something into an actual script. Okay? Into the myscript.sh, anyhow. So, I'm going to write test2 into myscript.sh and see if that has been overridden. So, yeah.  Here we go, it works. Now, if I echo some comment into that file, and then if I can copy that comment into the var/spool/bandit24, it will be executed automatically by the cron job, right? That is the logic. That is what we are doing. That is why we are doing this. So, I'm going to run echo. And maybe do the shebang over here like a bin/bash. And we don't actually need that shebang, we don't actually need that line, right? Because it's just for like syntax purposes. Let me try to just do it like this and see if this works; myscript.sh. So, that backwards slash n is for giving a new line. And if I kept my script, no, it doesn't work. So, what I'm going to do, I'm just going to skip the bin/bash thingy  and I'm just going to echo what I want to echo over there. So, what I want is to have the shebang like that without the n over here. So, let me try this. No, it doesn't even echo the shebang. So, there is something wrong with the shebang itself. So, we can just skip that line and just try like this, cat /etc/bandit_pass/bandit24. And later, I'm going to save this output  into somewhere that I can actually read. So, I'm going to save it into atil123, and test or something like password.txt or something like that. Okay?  So, if we can actually see this... Let me try to cat myscript.sh. Nope, it didn't actually run. But we haven't saved it into the myscript.sh. So, we have to just make sure that we save it into myscript.sh. Okay? Now, if we try to cat myscript.sh, here you go. Finally, we have something in the myscript.sh. We omitted the shebang, but I believe it won't cause any problems. So, if we can make this run by bandit24, it will just read the password of the bandit24, and it will just save the output in the TMP folder under atil123 folder, in the password.txt. So, I'm going to change the permissions for that file to chmod 777 in order to make this executable, because we want it to be executed by anyone. We don't care at this point. It will be deleted anyway eventually. So, the result will be saved in this folder, actually in the password.txt, but we don't have anything such as password.txt. So, I'm going to create that file. I'm going to say, touch password.txt. It will be over here. Right now, if you cat this, you won't see anything because it's nothing there. But after it got executed, it will be there. But in order this to work, I believe, we have to make sure that password.txt can be overwritten by anyone. So, I'm going to change the permission to 777 to password.txt, to just to make sure. Okay?  So, I'm going to copy myscript.sh to the target folder, which is, if you remember it, it's var/spool/bandit24, like that. So far, so good. So, here you go. Now, what we should do, we should wait for a minute. Remember that cron job, I believe, it was getting executed every 60 seconds. I'm not very certain about that. Maybe we can take a look at cron tabs or something like that. But again, we can just wait for a minute and see if we get the result in the TMP folder. Anyway, after it's executed, it's going to write this into the password.txt. So, I'm just going to cat password.txt and see if we get the result right now. Here you go. We already have it. So, it got executed. So far, so good. So, I believe this is the password for the level 24. So, I'm going to come over here and nano the password. I'm going to just paste it over there. And this will be level 24. So, great. I hope you get this. So, it was very interesting and it was actually very fun for me. So, I'm going to come over here and say bandit24, and try that password and see if that was the right one. So, here you go. Paste the selection and hit 'Enter'. And we are inside of bandit24. Great. So, it has been a long journey for us; going from 23 to 24. So, we're going to stop here and continue within the next one.

 

About the Author
Students
899
Courses
55
Learning Paths
3

Atil is an instructor at Bogazici University, where he graduated back in 2010. He is also co-founder of Academy Club, which provides training, and Pera Games, which operates in the mobile gaming industry.