OverTheWire Bandit: Level 21 → Level 22
Context
In Linux systems, the Cron service is used to automate tasks at specific times (every minute, daily at 3 AM, etc.). This service reads configuration files usually located in /etc/cron.d/ and executes commands accordingly.
In this level, something is running in the background and potentially copying our password somewhere. Our job is to find that “something”.
Goal
Inspect the system’s Cron tasks, find the one related to bandit22, analyze the script it runs, and retrieve the password.
Solution
Step 1: Scan Cron Jobs
Global cron definitions often reside in /etc/cron.d/. Let’s take a look:
ls -la /etc/cron.d/You’ll see a file named something like cronjob_bandit22. That’s our target!
Step 2: Read the Task
Let’s see what’s defined inside this file:
cat /etc/cron.d/cronjob_bandit22Example Output:
@reboot bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
* * * * * bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/nullThese lines say: “Every minute (* * * * *), run the /usr/bin/cronjob_bandit22.sh script as user bandit22.”
Step 3: Inspect the Script
Now we know what is running (/usr/bin/cronjob_bandit22.sh). But what does it do? Let’s read it:
cat /usr/bin/cronjob_bandit22.shInside the script, you will see a command like this:
cat /etc/bandit_pass/bandit22 > /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
Bingo! The script reads the password file (cat) and writes it (>) into a randomly named file in /tmp/.
Note: The filename will likely be different for you. Read the target filename carefully from the script.
Step 4: Get the Password
We just need to read that temporary file where the script copied the password:
cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv(Replace the filename with the one you found)
Key Takeaways
- Cron / Crontab: Linux’s scheduled task mechanism. It is indispensable for system administrators for tasks like backups.
- Tracing Execution: Starting from a clue (cron file), finding the executed script, and reading its code to understand its behavior is a fundamental skill in cybersecurity.