 Alright, hello everyone. Welcome back to another YouTube video. My name is John Hammond, and we are still looking at the Bandits over the Wire War game. So finally we're on level 23, and the problem here is a program is running automatically at regular intervals from Cron, the time-based job scheduler, looking at Cron.d for the configuration and see what command is being run. This level requires you to create your own first shell script. This is a very big step, and you should be proud of yourself when you beat this level. And keep in mind that your shell script is removed once it's executed, so you may want to keep a copy running around. Or one around and close by. Okay, let's jump back in. I've got my terminal set up, and we can use SSH Pass with the file name that we're using. Bandit 23, we've got the password in that file. Using the correct user for the SSH connection, using the right port. And once we hit Enter, we are in. Nothing in the home directory, so let's change directory into that Cron.d configuration folder. We see we now have a Cron job underscore Bandit 24, and that's the one we're interested in, because that's the level we're trying to get to, is now level 24. Let's cat out that, and let's see what it's doing. So on reboot, the user Bandit 24 is running this script available in user bin in the file system, and everything's being catted to, redirected anyway to DevNol, so we're not getting any output. And this is also occurring every minute, as we've seen in the regular Cron tab. All those asterisks means every minute of every hour of every weekday, etc., etc. So Bandit 24 is still running user bin in Cronjom, Bandit 24.sh. So let's see what that script actually is. Let's cat that out. And we can see here, we've got a shebang line. A little bit of bash notation. Okay, tell the system that we are running a bash program, a bash script, setting a variable myName to whoAmI, or the output of whoAmI. So in our case, it's Bandit 23, but since this script is being run as the Bandit 24 user, myName, that variable, must be being set to Bandit 24. Okay, so it's changing directory into var, spool, and the value of myName, so Bandit 24. Let's do that, just follow along. Okay, so now it's in var, spool, Bandit 24. We probably can't see any files in here, okay? We don't have read permission, but the script looks like it executes and then deletes all scripts in this directory. We can see this happening in this for loop here. For I in asterisk and dot asterisk. Okay, it begins this loop, denoted by the for do and done. The do and done are our code blocks here, beginning and starting of the code block. And it tests if the value of this variable I is not equal to a period, probably and this value is not equal to a dot, dot, or maybe, either of these things, if it's not this, okay, yeah, then and will probably work here if not equal to. It'll handle that file and we're looping through files here because it's doing that with the asterisk and the dot asterisk. It runs that script or with that file in a timeout. So for however many seconds and then it removes it with RMTACF. Okay, so it's skipping over the directory symbol, the period and the parent directory symbol, the two periods, right? So we probably can create a script in here that will, I don't know, since we're running as a privilege of Bandit24, we must be able to have that actually put the password of Bandit24. We can read the password of Bandit24 since we're operating as that user. And let's put it in a place where we Bandit23 currently can see it or can read it. That way we can get the password for the Bandit24 user and get past this level. So we do have to create our own shell script, our own bash script, but all we know or all we need to know is that we can just use the shebang line here, that pound symbol or hashtag exclamation point and then the path of the program. So in this case, bash is in forward slash band forward slash bash. Okay, so what do we want to do? Let's create a script that will put the contents of the etc. BanditPass Bandit24 password. We can't read that file right now, but we know the Bandit24 user can once we put a script in here. How about it catch that out and it puts it in any file that we want in our own temporary directory, like a home for ourselves. So do I still have temp John3? Okay, whatever. I don't know where we were. Let's create temp John3 and we'll use that as the Bandit23 user. We want to make sure that everyone has access to that directory. Since Bandit24 is going to end up putting a file in there or writing to it, everyone should have the right access to that folder. So I'm just going to chmod 7 for myself so I can read write and execute and go in there. 7 for everyone in the group and 7 for everyone at all. Can read write and execute and John3. If I, let's type out temp probably can't read that and John3 won't give us anything because there's nothing in it. Okay, so we can't really, we just got to hope, got to make sure that operate on the assumption that that did successfully happen and all users can read and write and execute in that directory. So let's create a script now in this directory VarspoolBandit24 because it looks like it will run scripts that we put in here. So let's make one. If this happens every minute, so we can use the date command to see how much we've got left in the minute or what second we are currently on. Yep. So let's just create a script. Let's do nano and call it get.sh or whatever you want. We don't have permission to have .nano file, whatever. That's the configuration file, not really necessary. We can still write in this folder. So let's create our shebang line. Pound exclamation point forward slash bin forward slash bash. And let's cat the contents of etc BanditPass Bandit24 and redirect that to temp John3, the password dot text. And you can use whatever directory name you want here, of course. You never had to use John3. You can use whatever file name you want to begin with. We just want to get that data. So we'll cat that over and you could just as well use the CP command. You could just as well copy it over, but let's see what happens here. Let's check how we're doing. We've got 30 seconds. So let's mark this executable as fast as we can. Get.sh. Cool. We can't LSN here. Can we LSN get.sh? Okay, we know it's there. Executable from Bandit23. Bandit24 will execute it in 10 seconds. So if we check out what's in temp John3, nothing right now. But now that it's a new minute, we've got the password dot text. All right, cool. Let's check that out. Password dot text. Oh, we got to put it in the actual path that we're looking at. John3, because we aren't in that directory. We're in varsable bandit. We have to specify this is the folder that we want it from. And there it is. Okay, so the crucial things to note for this was that we had to create our script in this directory that Cron is going to use to run every minute. And we're marking it executable with chmod plus x. Make sure we have the shebang land and everything in there. So notice we've got in bash and make sure this directory that we're using to actually catch the file is world writable. So that that bandit 24 user can go ahead and like read and write and actually place files in there. If we check out what is in temp John3, it looks like it is owned by that bandit 24 user. But since everyone has read and write access and like all that access in the folder in the temporary directory that we created, everyone will still be able to read that file. So that's how we ended up getting through this one. Cool, let's go ahead and save this breakout of a connection we have here. Put this in bandit 24 save and let's call this good. This is going to end up being a longer video if we continue any other levels. So thank you guys for watching. Hope you enjoyed this one. Just a couple quirks, but a really cool methodology for writing our own shell script and just being able to take advantage of one script that another user's running and kind of steal information from that user by putting it in a place where someone else can read it. So cool stuff. Thank you guys for watching. I hope you're enjoying the series and I'll see you in a later video.