Level 20 – 21
In this level we are provided with setuid binary located in the home directory. The binary will connect to the given port on localhost using TCP. It will then read a line of text from the connection and compare it to the password in the previous level, if its correct, it will return the password for the next level.
As hinted, lets try to connect to a network deamon, we can use netcat (nc command) to do it. Netcat is a unix utility that reads and writes data across network connections. Lets use it to listen to a random port while supplying password to level20 (stored in /etc/bandit_pass/bandit20 file)
nc -l -p 2222 < /etc/bandit_pass/bandit20While we are listening on port 2222 we need to simultaneously connect to bandit20 on a second terminal and use the binary file on the same port
./suconnect 2222As a result we get the password to the next level.
Level 21 – 22
We are told that there is a cron running on regular intervals located in /etc/cron.d. Cron is a daemon that executes scheduled commands. Lets see what files are located in the folder using ls -a.
As in the previous levels the file we should start with has the level number in its name, lets try to use cat command on it to see what it is set to do.
As we can see the cron file runs a bash script located in /usr/bin/ . Asterisk symbol (*) stands for “first last”, with five asterisks the cron runs this command every minute of every day of every week of every month (simply saying it runs every minute). The next thing we want to do is to check the bash file that it executes.
cat /usr/bin/cronjob_bandit22.sh
The script is assigning the content of the bandit22 file located in bandit_pass directory to a file in /tmp/. Based on previous levels the content of that file should be the password we were looking for, we can check it using cat
cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
Level 22 – 23
We are again told that a program is runnig automatically at regular intervals from cron.
First lets go to the folder specified in the description for this level and see what files are there
/etc/cron.d$ ls
we will follow the same steps as in the last level, lets start with looking into cronjob_bandit23
Again we see that there is another script being run every minute, lets open it
The script saves the name of the user and runs echo command that then uses md5sum command to hash the string and then uses cut that cuts the output into the actual hash
the hash is then saved to a variable mytarget stored in /tmp/ folder, which includes the password to the next level. Using cat:
