This one took me a shamefully long time to complete, mostly because it’s getting late and I’m not running at 100%. We’re inspecting another cron job. This one appears to look for scripts in /var/spool/bandit24, and if it finds any, executes them and then removes them from the system. This can obviously be exploited to read the password from /etc/bandit_pass/bandit24. The easiest way to do this is to create a simple one line script to cat the contents of the password file to our home directory.
I wrote the script, set the permissions and then copied it over. But nothing happened… After several more tries, double checking my sytax in the script and looking for bugs, the problem turned out to be the permissons on my home directory. Changing them to 777 (obviously not something that is normally advisable), it worked.
bandit23@bandit:~$ vim getit
bandit23@bandit:~$ chmod 777 getit
bandit23@bandit:~$ chmod 777 /home/bandit23/
bandit23@bandit:~$ cp getit /var/spool/bandit24/
.
.
Time passes
.
.
bandit23@bandit:~$ ls
bandit24.pass getit
bandit23@bandit:~$ cat bandit24.pass
XXXXXXXXXXXXXXXXXX