OverTheWire Bandit: Level 22 → Level 23

Context

Like the previous level, we have a Cron job. But this time, it doesn’t write the password to a static filename. It generates the filename based on a specific rule (algorithm).

To solve this, we need to understand what the script does—essentially reverse engineering its logic.

Goal

Determine the filename of the password file created by the cron job running as bandit23.

Solution

Step 1: Find the Cron Job

Check /etc/cron.d/ again:

ls -la /etc/cron.d/
cat /etc/cron.d/cronjob_bandit23

This points us to the script /usr/bin/cronjob_bandit23.sh.

Step 2: Analyze the Script

Let’s read the code:

cat /usr/bin/cronjob_bandit23.sh

Key Code Snippet:

myname=$(whoami)
mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1)

echo "Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget"
...

Analysis:

1. myname=$(whoami): Gets the username of the person running the script.
2. mytarget=...: Creates a filename by taking the MD5 hash of the sentence “I am user [username]”.

The Trap: If you run this script, whoami returns bandit22, and the script copies your own password (which you already know).

We need to know: What is the filename when this script is run by Cron, as user bandit23?

Step 3: Manual Calculation

Let’s simulate the script’s logic, but hardcode the target username:

echo I am user bandit23 | md5sum | cut -d ' ' -f 1

Output:

8ca3194675ce867e66f2758de6966bd9

That is the filename generated by the cron job!

Step 4: Get the Password

Now that we have the filename, check /tmp/:

cat /tmp/8ca3194675ce867e66f2758de6966bd9

Congratulations, you have the next password!

Key Takeaways

1. Code Analysis: Predicting what software will do just by reading its source code, without running it.
2. Context: Understanding that variables like whoami depend on the execution context. The script runs as the system user, not us.