Bandit Level 23 Walkthrough

Level 22 ➔ Level 23: Reverse-Engineering Automated Scripts

1. My Objective

I am currently logged in as bandit22. My goal is to find the password for bandit23. Similar to the last level, there is a Cron job running a script. However, this time the script is a bit more "clever." It doesn't use a fixed filename in /tmp; instead, it calculates a unique name based on who is running it. I need to figure out that formula to find where it is hiding the next password.

The Mission Brief: I need to look at the script in /usr/bin/cronjob_bandit23.sh and simulate its logic. If I can replicate the calculation for the user "bandit23," I will know exactly where the password file is located.

2. The Feynman Explanation: The Secret Mailbox Generator

How do you hide mail from someone if you are forced to put it in a public room? You use a secret naming code that only you and the recipient know.

The Robot and the Fingerprint Analogy:

Imagine a Robot that delivers mail to a public lobby (the /tmp folder). To keep it safe, the Robot doesn't label the boxes with names like "John" or "Sarah."

Instead, the Robot has a Mathematical Blender (md5sum). It takes the sentence "I am user John," puts it in the blender, and gets a unique 32-character code (a hash). It then writes that code on the box.

If I am "Sarah" and I want to steal John's mail, I don't need to guess. I just use the same blender! I put the sentence "I am user John" into the blender myself. I get the exact same code. Now I just walk into the lobby and look for the box with that specific code on it. The Robot thinks it's being secret, but since I know its formula, the secret is mine.

3. Practical Solution

I start by reading the cron configuration and the script to find the "blender formula."

# Step 1: Read the script to understand the logic
bandit22@bandit:~$ cat /usr/bin/cronjob_bandit23.sh

# The important part of the script is:
myname=$(whoami)
mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1)
cat /etc/bandit_pass/$myname > /tmp/$mytarget

# Step 2: Now, I simulate this for bandit23 to find the target filename
bandit22@bandit:~$ echo I am user bandit23 | md5sum | cut -d ' ' -f 1
8ca31ee0f1779c7423306635be8e974e

# Step 3: Now I know the filename is in /tmp. Let's read it!
bandit22@bandit:~$ cat /tmp/8ca31ee0f1779c7423306635be8e974e
jc1fvSAn929SAb36906sV... (Password Revealed!)

Why did this work?

The script runs every minute as bandit23. When it runs, it sets $myname to "bandit23", calculates the MD5 hash of that specific string, and copies its own password into that hashed filename. By running the same calculation manually, I was able to predict the filename and read the content before it was deleted.

🚀 My Pro Tips: Mastering Shell Logic

✨ The Power of md5sum

MD5 is a hashing algorithm. It is Deterministic, meaning if I give it the exact same input, it will always give the exact same output. This makes it a common tool for generating unique identifiers or verifying that a file hasn't been changed.

⭐ Understanding 'cut'

The md5sum command usually prints the hash followed by the filename (or a dash). I use cut -d ' ' -f 1 to tell Linux: "Split the text at the space (the delimiter) and give me only the 1st field." This leaves me with just the clean hash code.

🔍 Testing in Parts

Whenever I find a script I don't understand, I break it down. I run echo I am user bandit23 first. Then I add the | md5sum. Seeing the data change at each step is the best way to learn how complex pipelines work.

4. Why this matters

I see this type of logic in many web applications. They might store your profile picture with a name like md5(username).jpg. If a developer doesn't realize that these hashes are predictable, they might accidentally expose private files. Learning to read and simulate code written by others is a foundational skill for any security researcher or software engineer.

Algorithm Cracked!

I've successfully predicted the automated script's behavior. I'll save this password and move on to Level 23 ➔ Level 24, where I'll get to write my very first script to solve a level!

Tags: #Linux #Bandit #OverTheWire #Cron #ShellScripting #MD5 #Hashing #CyberSecurity #FeynmanTechnique #CodeWithPritom #ProTips