OverTheWire Bandit Level 22 → 23 tutorial!!

Login

Log in as bandit22 using the password you obtained from Level 21 → 22.

ssh bandit22@bandit.labs.overthewire.org -p 2220
# password: tRae0UfB9v0UzbCdn9cY0gQnds9GF58Q

Why? Each Bandit level is a separate UNIX user. To solve 22 → 23, you must be the bandit22 user.

Task

A cron job runs as user bandit23. Inspect what it does and use it to obtain the password for bandit23.

A little bit of Theory

• Cron job definitions live in /etc/cron.d/ on Bandit levels. Each entry calls a script/binary.
• The script for this level computes a hash-based filename using md5sum and writes the next user’s password there.
• Do not guess the path; read the script and follow the exact output filename in /tmp.

Further reading:

• crontab(5) format
• cron(8) format

Solution

1. List cron definitions

   ls -l /etc/cron.d
   

   Why? Locate the job for this level (e.g., cronjob_bandit23).

   

2. Read the cron entry

   cat /etc/cron.d/cronjob_bandit23
   

   Why? See which script runs and as which user (bandit23), plus the schedule (every minute).

   

3. Open the referenced script and understand it

   cat /usr/bin/cronjob_bandit23.sh
   

   On Bandit it looks like:

   #!/bin/bash
   myname=$(whoami)
   mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1)
   echo "Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget"
   cat /etc/bandit_pass/$myname > /tmp/$mytarget
   

   Why? Since it runs as bandit23, it writes /etc/bandit_pass/bandit23 to /tmp/<md5("I am user bandit23")>.

   

4. Compute the exact target and read it

   T=$(echo I am user bandit23 | md5sum | cut -d' ' -f1)
   echo "Target: /tmp/$T"
   cat "/tmp/$T"
   

   Why? This reveals the bandit23 password.

   

5. Copy the password (no trailing spaces/newlines).

6. Log into the next level (bandit23)

   exit
   ssh bandit23@bandit.labs.overthewire.org -p 2220
   # paste the password you just retrieved
   

Password

This is the password from my run; if yours differs, use the one your terminal printed.

0Zf11ioIjMVN551jX3CmStKLYqjk54Ga

Troubleshooting

• File not found yet → Cron runs every minute; wait ≤60s and try again.
• Different path → Your /usr/bin/cronjob_bandit23.sh is the source of truth. It always prints/uses the MD5 target name.
• Permission denied → Rare here; the file is plain text created by the script. If it disappears, wait for the next minute cycle.

Copy-paste quick run (one shot)

cat /etc/cron.d/cronjob_bandit23
cat /usr/bin/cronjob_bandit23.sh
T=$(echo I am user bandit23 | md5sum | cut -d' ' -f1)
cat "/tmp/$T"

Congrats 🎉 You followed another cron job and harvested the next password — welcome to bandit23!

Thanks for reading!

Until next time — Otsumachi!! 💖☄️✨