1. Home
  2. Training Library
  3. Programming
  4. Programming Courses
  5. Penetration Testing and Privilege Escalation with Bandit

Bandit Cron

Contents

keyboard_tab

The course is part of this learning path

Start course
Overview
Difficulty
Intermediate
Duration
3h 8m
Students
48
Ratings
5/5
starstarstarstarstar
Description

This course will walk you through a variety of exercises and techniques as part of a capture the flag (CTF) game called Bandit. This will make sure that you have the necessary skills in Linux in order to excel in penetration testing and privilege escalation.

Transcript

Hi, currently we are in Bandit 21 and if you run ls as you can see there is nothing here. So, we want to go to 22 and I'm going to open the tips for that. So, here we go. It says that the program is running automatically at regular intervals from cron, the time-based job scheduler. So, if you have never heard about cron before, think cron as like a background service that is running over there in a given period of time. So, we have to look into /etc/cron.d/ in order to see the configuration for that cron and see what it does. So, basically if you want Kali Linux or any other Linux versions to run a background job that does something in a given period of time, then you should actually have a cronjob. This is exactly what it is. So, let me show you. I'm going to go into cd /etc/cron.d as it's instructed over here. If you run ls -la, you can see that we have some cronjobs. So, these are all jobs that run in a certain period of time, we don't know whether it's running like every day or every hour, every minute, we don't know that yet. We're going to see what they do and we will try to get a password for the next level from them. So, over here it says that, "Yeah, look at the configuration and see what it does." So, I'm going to try and cut these things. So, I'm going to cut the first one which is bandit15_root and as you can see it's owned by the root and it's actually running this sh and it's saving the output into /dev/null which is nothing, okay? So, it's actually erasing getting rid of the output, but it's actually running this sh file. So, maybe if we can find this sh file, this bash script, we can get a lead over there. However, we are trying to go into bandit22, so I'm going to cut that one as well and as you can see that is the same thing actually, so this is owned by bandit22 and over here we see bandit22.sh as well. So, this bandit22.sh might actually give us the lead that we are looking for. So, bandit15 maybe it has something to do with the level 15 but we passed that right, so we don't need that anymore. So, I'm going to focus on this bandit22.sh and see if we can get something out of it. So, bandit17, I believe there was something in the bandit17 as well. But again, we can just go along and just deal with the other ones from now on. So, let's go and cut this bandit22.sh usr/bin/cronjob and bandit22.sh and no such file or directory. Here we go, I believe I misspelled the cronjob. Rather than cronjob, I actually have written 'bronjob'. So, make sure you get that right, write it again and try to just cut this out. So, here we go. Let me just copy it from here or just just change the b to c like that and here we go. So, this is a bash script, so this is the shebang and it changes something. It changes a permission of a temporary file. So, as you can see this is a temporary file at least it's in the tmp directory. It changes the permission to 644, okay? So, we have done that before as you might remember and later on it cuts the etc/bandit_pass/bandit22 which is what we are looking for and also saves the output to that particular file that has been created before. So, it's pretty easy I believe. It cuts the bandit pass so if we cut this tmp file over there, just copy and paste it, you cannot write this it's too long. Let me come over here and paste the selection, we can get the password because it has been read by the bandit22 user and also it has been saved in the tmp directory, that particular file, right?

So, I'm going to copy this and come over here and nano my password.txt and just save it over there. So, I'm going to paste this and just write level 22 like that. So far, so good. So, it actually as you can see this was related to cronjobs but we haven't done so much with the cronjobs yet, I believe the upcoming lectures will be on cronjobs as well since we have seen cronjob bandit23, 24, and 25 over there as well. So, let's see if this is really the case over there. So, I'm going to open the 22-23. Here we go. So, a program is running automatically. Again, we have a cronjob, okay? So, it says that look at in etc/cron.d. So, the same thing, I'm going to go directly into etc/cron.d and I'm going to run ls -la. So, we're going to see same things one more time but this time I believe we have to focus on cronjob bandit23. So, I'm going to cut this thing, cronjob bandit23 and here we go. We have the bash script one more time so I'm going to cut this one and see what it does, okay? So, I'm going to cut this and paste selection over here. So, here we go and an interesting one. So, this is a bash script one more time, it starts with shebang and it does something different. So, this particularly stands for the shebang so it says that this is a bash script, okay? So, even without it it will be fine but we generally place that in order to say that this is a bash script to the users. So, apparently it runs whoami and as you can see, if we run whoami, it gives the current user which is bandit22. So, it makes whoami equal to a variable called myname. So, if you know any programming languages, I hope you do at least Python or something like that, you know what a variable is. So, myname is a variable that holds the value of whoami at this point and then mytarget is this value, echo I am user $myname. So, echo means printed out and I am user $myname is the bandit22 at this point and it pipes it to md5sum, later on it cuts it, it formats it a little bit. So, maybe you don't know how to work with these commands maybe you haven't worked it before, but let me just continue for right now and then it echoes the password thing. It says that passwordfile /etc/bandit_pass/$myname to/tmp/$myt. So, as you might have understand by now it actually copies the current user's password to a tmp folder into a file that we don't know yet and that file can be inferred from the mytarget variable. So, if we can calculate the value of the mytarget variable then we can just get it out, right? So, all we have to do is just understand how to actually calculate this mytarget and we can do that in the terminal. You don't have to know everything about it because we know the myname. myname variable will be equal to bandit23. Remember this will be called by the bandit23. And it couldn't find the command so let me just try it like this. it hasn't been defined. I believe we have to lose the spaces, you're going to have to write myname equals to bandit23 without any spaces like this, bandit23. Yes, it worked. So, right now If I write $myname, as you can see $myname gives me the bandit23 right now. Of course it says that command not found because there is no commands such as bandit23 but we managed to assign this to the bandit23. Now, if I copy this, okay? And if I paste it over here then myname is already defined by us. Now it's going to actually echo this, it's going to actually print this out so that we can see the value of mytarget and here we go. This is the value of mytarget variable. So, I know what is going to be mytarget and it will copy the current password to the tmp folder in that file. Here we go, Now we know the file name. So, it's kind of a puzzle as you can see and it's very interesting. So, I'm going to cut that out and if I hit 'Enter' here we go. This is the password for the next level. So, I'm going to copy this, okay? I'm going to exit out of that one and I'm going to ssh to bandit23 and then I'm just going to come over here, enter and just try that. Let me come over here and paste the selection and hit 'Enter' and here we go. We are inside of bandit23, I'm going to take a note of that as well. I'm going to paste over here and say level 23. Great. We managed to make it into the level 23. We have, I believe, time to go so I'm going to stop here and continue within the next one with level 24.

 

About the Author
Students
899
Courses
55
Learning Paths
3

Atil is an instructor at Bogazici University, where he graduated back in 2010. He is also co-founder of Academy Club, which provides training, and Pera Games, which operates in the mobile gaming industry.