CRON JOBS ENUMERATION,DETECTION AND INVESTIGATION.

This is a CTF by overthewire.org in this level the task is to identify a program running at intervals and understanding what the task does this helps in detecting unauthorized or suspicious jobs running that may indicate compromise in a system.

Now lets get started. 

From my previous post on cron i discussed about commands used to enumerate cron jobs, So the first thing  you want to do is the " ls -lah /etc/cron.d" command which lists the cron directories (cron-hourly, cron-daily, etc).  I want the password for level 22 so the cron job i want to investigate should be the cronjob_bandit22.

For the next step i decided to go to the path where the cronjob_bandit22 file is stored you can make this faster by using the command "cat /etc/cron.d/cronjob_bandit22" to view the content of the file,  You can also follow the process in the image i went into the path where all the cron jobs are saved before reviewing the file, 

The cronjob_bandit22 file contains the following 

 

@reboot bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null

*****    bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null

lets analyze what this means the @reboot means it starts to run at reboot is owned by bandit22 and shows the path where the script is stored.

" ***** "  this means the cron job is running every minute the owner remains bandit22 next is the path where the script is stored, that's what we need to know for now the important things from this discovery is we know where the script path is stored, the owner of this script, who can run it and how the cron job task functions. Next lets investigate what the script runs.

Using the command cat /usr/bin/cronjob_bandit22.sh to view what the script contains from the picture below we see the shebang #! /bin/bash so we know its a bash shell script. 

 

The command " chmod 644 /tmp/t706lds9S0RqQh9aMcz6ShpAoZKF7fgv " changes the permission of the file path   /tmp/t706lds9S0RqQh9aMcz6ShpAoZKF7fgv  to  the owner having read and execute permissions the group permission is set at read only and others set as read only also.

The next command "cat /etc/bandit_pass/bandit22  >  /tmp/t706lds9S0RqQh9aMcz6ShpAoZKF7fgv "

this displays and stores the password for bandit22 in the  /tmp/t706lds9S0RqQh9aMcz6ShpAoZKF7fgv file.

 

To get the password for the next level bandit22  use the command "cat  /tmp/t706lds9S0RqQh9aMcz6ShpAoZKF7fgv" to view the password for the next level. 

We just detected a cron job and investigated what the scripts does. 

 

I got access to level 22 and we want to work our way to level 23 , In  the image below you can see i detected and investigated the job and wrote  a small script to output the password for the next level. I want this to be an interactive task we do together if you've got this far tell me what the following command does and how you retrieve the password for bandit 23.

i already solved it but i would like you to comment and give me ideas on other ways it can be done  

Thanks.