We’re told that a cronjob is executing at regular intervals, and we’re to investigate. Looking in /etc/cron.d shows a script called cronjob_bandit22. That looks promising. When we inspect the script, we see that it’s executing /usr/bin/cronjob_bandit22.sh. We try to execute it ourselves, but get an error message about write permissions. However, the error message points to an interesting file. After we try to cat that, we get the password for the next level.
bandit21@bandit:~$ cd /etc/cron.d
bandit21@bandit:/etc/cron.d$ ls
cron-apt cronjob_bandit22 cronjob_bandit23 cronjob_bandit24 php5
bandit21@bandit:/etc/cron.d$ cat cronjob_bandit22
@reboot bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
* * * * * bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
bandit21@bandit:/etc/cron.d$ /usr/bin/cronjob_bandit22.sh
chmod: changing permissions of '/tmp/XXXXXXXXXXXXXXXXXXXXX': Operation not permitted
/usr/bin/cronjob_bandit22.sh: line 3: /tmpXXXXXXXXXXXXXXXXXXX: Permission denied
bandit21@bandit:/etc/cron.d$ cd /tmp/
bandit21@bandit:/tmp$ ls
ls: cannot open directory .: Permission denied
bandit21@bandit:/tmp$ cat /tmpXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXX
bandit21@bandit:/tmp$