The Goal

Another cron job is running at regular intervals. Look in /etc/cron.d/ for the configuration, read what the script does, and use that logic to locate the password for the next level.

The Approach

Reading the cron job and the script it calls:

bandit22@bandit:~$ cd /etc/cron.d
bandit22@bandit:/etc/cron.d$ cat cronjob_bandit23
@reboot bandit23 /usr/bin/cronjob_bandit23.sh &> /dev/null
* * * * * bandit23 /usr/bin/cronjob_bandit23.sh &> /dev/null
bandit22@bandit:/etc/cron.d$ cat /usr/bin/cronjob_bandit23.sh
#!/bin/bash

myname=$(whoami)
mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1)

echo "Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget"

cat /etc/bandit_pass/$myname > /tmp/$mytarget

The script generates a filename by hashing the string I am user <username> with md5 and writes the password to that path in /tmp. Running it as bandit22 confirms the pattern by showing where bandit22's password goes:

bandit22@bandit:/etc/cron.d$ /usr/bin/cronjob_bandit23.sh
Copying passwordfile /etc/bandit_pass/bandit22 to /tmp/8169b67bd894ddbb4412f91573b38db3

To find where bandit23's password is stored, compute the same hash for bandit23:

bandit22@bandit:/etc/cron.d$ echo I am user bandit23 | md5sum | cut -d ' ' -f 1
8ca319486bfbbc3663ea0fbe81326349

Reading that file gives the password for Level 23:

bandit22@bandit:/etc/cron.d$ cat /tmp/8ca319486bfbbc3663ea0fbe81326349
password

Commands Covered

  • md5sum, compute the MD5 hash of input
  • cut -d ' ' -f 1, extract the first field from space-delimited output
  • echo string | md5sum | cut -d ' ' -f 1, generate a hash from a known string to predict a filename