Level Goal

A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.

NOTE: Looking at shell scripts written by other people is a very useful skill. The script for this level is intentionally made easy to read. If you are having problems understanding what it does, try executing it to see the debug information it prints.

Commands you may need to solve this level

  • cron
  • crontab
  • crontab(5) (use “man 5 crontab” to access this)

My Answer (Step by step)

  1. 連線到伺服器並登入
ssh bandit22@bandit.labs.overthewire.org -p 2220
  1. 透過 cd 與 ls 指令前往 /etc/cron.d 目錄查看有哪些排程工作
cd /etc/cron.d
ls -al

根據指令結果,發現有一個檔案 cronjob_bandit23 名稱跟下一等級相關

  1. 透過 cat 指令將檔案 cronjob_bandit23 內容呈現出來
cat cronjob_bandit23
# @reboot bandit23 /usr/bin/cronjob_bandit23.sh  &> /dev/null
# * * * * * bandit23 /usr/bin/cronjob_bandit23.sh  &> /dev/null

根據指令結果,發現此工作會執行 /usr/bin/cronjob_bandit23.sh

  1. 透過 cat 指令將 sh script 呈現出來
cat /usr/bin/cronjob_bandit23.sh
# #!/bin/bash

# myname=$(whoami)
# mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1)

# echo "Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget"

# cat /etc/bandit_pass/$myname > /tmp/$mytarget

根據指令結果,發現密碼被複製到 /tmp/$mytarget,而 $mytarget 則為 echo I am user $myname | md5sum | cut -d ’ ’ -f 1 的指令結果,其中的 $myname 又是 whoami 的指令結果

  1. 透過 whoami 指令瞭解 $myname 應填入內容
whoami
# bandit22

由於我們要得到的是 Level 23 密碼,所以 $name 應填入 bandit23

  1. 執行 $mytarget 所示的指令來得知其內容
echo I am user bandit23 | md5sum | cut -d ' ' -f 1
# 8ca319486bfbbc3663ea0fbe81326349

根據指令結果,發現密碼被複製到 /tmp/8ca319486bfbbc3663ea0fbe81326349

  1. 透過 cat 指令將 Level 23 密碼呈現出來!
cat /tmp/8ca319486bfbbc3663ea0fbe81326349