Recap of Level 22: Learned about cron and reading scripts.


Bandit Level 23


Find the password to the next level

Intel Given:

  • A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.

NOTE:Looking at shell scripts written by other people is a very useful skill. The script for this level is intentionally made easy to read. If you are having problems understanding what it does, try executing it to see the debug information it prints.

How to:

I’m going to warn you now, this is the first level that will require some real outside-the-box thinking that is part of what makes hackers so good at what they do. Don’t feel bad if this level isn’t clear to you at first, or even if it’s still not clear after reading this walkthrough. A lot of these topics are going to be hard to explain in the small space we have, so if things are unclear check the suggested readings sections for further instruction on things we talk about.

We have another script running in cron that we have to decipher. Sounds easy enough, I think I saw it last time we were in the /etc/cron.d directory so let’s go over and check it out.


Well it looks a little more complicated than the last one. But once we break it down I have a feeling that it’s pretty easy.

Let’s start with the first line. If you are familiar with programming (or algebra) it may look familiar. You will find that when writing scripts you will have to deal with some things in the same ways, but change what you are dealing with. For example, say we want to write a script that will square whatever number we pass to the script. We need a way to tell the script to deal with whatever number we put in and multiply it by itself. The way we accomplish this is by creating variables. The variable like in algebra is just a representative of something else that we will decide later. When writing scripts we denote variables by naming it whatever you like, usually something descriptive, and then a dollar sign followed by whatever you want your variable to be. In our example above the author of this script has decided that the variable myname is going to be the output of the whoami command, which returns the current user name.

As you can see in the next line mytarget is a variable for a lot more that just a whoami command. It appears that mytarget is creating an md5 hashsum of the text “I am user $currentuser”. A hash sum is a fixed length output that is a function of the input, whatever it may be. What that means is that the hash function analyzes the input in our example below the text fox, then the hash function outputs a string of text that represents the text fox. The outputs are unique to fox within the md5 sum function. When we input fix into a md5 function we get a totally different output.


You can use hash functions to create hash sums of any file. Hash sums are often used to ensure that the file has not been modified. This is often done for software that is distributed via the internet. If you’re having trouble understanding hashes and how they work check the further reading section for some articles strictly about hashes. Now let’s get back to our script.

After the variable declarations it looks like we have a few simple lines that output that the script is copying the password for the level and to a file in the temp folder. It sounds pretty easy to do so let’s run it.


Alright so there’s a file in tmp with the password for bandit22, the problem is we already have the password for bandit22 since that’s our current level. It seems we’re stuck but let’s think a little bit about what’s happening in our script. the script is taking our username (using the whoami) command and putting it into a string which is being hashed. The hash of the string is being used to denote a filename in /tmp/ where the password is. If we want the password for bandit23 let’s see what’s in the file that’s named the hash of the string “I am user bandit23”.


Okay let’s see what the file has in /tmp.


Looks like the password to bandit23!


We learned a lot in this lesson, including setting variables in shell scripts, hash functions, and thinking outside of the box. Don’t feel intimidated if you didn’t quite get what’s happening in this level, read the suggested readings and it will become clearer.

Suggested Readings:


Previous Level
Next Level

You were not leaving your cart just like that, right?

Enter your details below to save your shopping cart for later. And, who knows, maybe we will even send you a sweet discount code :)