⏰ OverTheWire Bandit Level 22: Understanding Cron Jobs and Scheduled Tasks

Level 22 introduces cron jobs—Linux's time-based job scheduler. This level teaches you how automated tasks work, how to read cron configurations, and how scheduled processes can be exploited for privilege escalation.

Level 22 teaches you:

• What cron jobs are and how they work
• Reading cron configuration files
• Understanding scheduled task execution
• Finding and analyzing automated processes
• How cron jobs can be security vectors

If you've made it this far, you understand file operations, permissions, setuid binaries, and network programming. Now you're learning about automation—how Linux systems run tasks automatically, and how understanding this can help you find privilege escalation opportunities.

---

🎯 The Objective

After logging into bandit21, your goal is to find the password for Level 22. A program is running automatically at regular intervals from cron (the time-based job scheduler). You need to look in /etc/cron.d/ for the configuration and see what command is being executed.

What Level 22 teaches:

• Understanding cron jobs
• Reading cron configuration files
• Finding scheduled tasks
• Analyzing automated processes
• How cron jobs can write to accessible files

The challenge: Find the cron job configuration, understand what it's doing, and locate where it's writing the password.

---

🔍 Understanding the Problem

Let's start by connecting to Level 21 and exploring:

sshpass -p `cat bandit21` ssh bandit21@bandit.labs.overthewire.org -p 2220

Once connected, let's check what's in the home directory:

ls -la

The problem: There's a cron job running that executes a command periodically. This command likely writes the password somewhere you can read it. You need to find the cron configuration to understand what's happening.

---

🧠 What Is Cron? Understanding Scheduled Tasks

Here's what's happening: Cron is Linux's time-based job scheduler that runs commands automatically at specified times.

How Cron Works

Cron (from "chronos," meaning time) is a daemon that runs in the background and executes scheduled tasks. It reads configuration files to know when and what to run.

Why cron exists:

• Automate repetitive tasks
• Schedule maintenance jobs
• Run backups automatically
• Clean up temporary files
• Execute scripts on a schedule

Common cron use cases:

• Daily backups at 2 AM
• Weekly log rotation
• Hourly system health checks
• Periodic cleanup tasks

Cron Configuration Locations

Cron jobs can be configured in several places:

1. /etc/crontab — System-wide crontab file
2. /etc/cron.d/ — Directory for additional cron files
3. /var/spool/cron/crontabs/ — User-specific crontabs
4. /etc/cron.hourly/, /etc/cron.daily/, etc. — Script directories

In Level 22: We're looking in /etc/cron.d/ for cron configuration files.

Understanding Cron Syntax

A cron entry has this format:

* * * * * command
│ │ │ │ │
│ │ │ │ └─── Day of week (0-7, 0 or 7 = Sunday)
│ │ │ └───── Month (1-12)
│ │ └─────── Day of month (1-31)
│ └───────── Hour (0-23)
└─────────── Minute (0-59)

Examples:

• 0 2 * * * — Every day at 2:00 AM
• */5 * * * * — Every 5 minutes
• 0 0 1 * * — First day of every month at midnight
• * * * * * — Every minute

---

📋 Step-by-Step Walkthrough

Step 1: Connect to Level 21

sshpass -p `cat bandit21` ssh bandit21@bandit.labs.overthewire.org -p 2220

Step 2: Navigate to the Cron Directory

The objective tells us to look in /etc/cron.d/:

cd /etc/cron.d/

Step 3: List Cron Configuration Files

ls -la

You should see several cron configuration files. Look for one that has "22" in the name (for bandit22).

What you'll see:

-rw-r--r-- 1 root root  120 Jan 16 12:00 cronjob_bandit22
-rw-r--r-- 1 root root  120 Jan 16 12:00 cronjob_bandit23
...

Step 4: Read the Cron Configuration

Let's read the cron file for bandit22:

cat cronjob_bandit22

What you'll see:

* * * * * bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null

Breaking this down:

• * * * * * — Runs every minute
• bandit22 — Runs as user bandit22
• /usr/bin/cronjob_bandit22.sh — The script being executed
• &> /dev/null — Redirects output to null (discards it)

Step 5: Read the Script Being Executed

Now let's read the actual script:

cat /usr/bin/cronjob_bandit22.sh

What you'll see:

#!/bin/bash
chmod 644 /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7nvs
cat /etc/bandit_pass/bandit22 > /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7nvs

Breaking this down:

• chmod 644 — Sets file permissions (readable by all)
• /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7nvs — A temporary file
• cat /etc/bandit_pass/bandit22 — Reads the password
• > /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7nvs — Writes it to the temp file

The key: The script runs as bandit22, so it can read /etc/bandit_pass/bandit22. It then writes that password to a temp file that you can read!

Step 6: Read the Password File

The script writes the password to /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7nvs. Let's read it:

cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7nvs

What you'll see: The password for Level 22!

Why this works: The cron job runs as bandit22, which has permission to read the password file. It writes the password to a temp file with permissions that allow you to read it.

Step 7: Save the Password

Copy the password and save it:

On Linux/macOS:

echo "PASSWORD_HERE" > bandit22

On Windows (PowerShell):

"PASSWORD_HERE" | Out-File -FilePath bandit22 -NoNewline

Step 8: Connect to Level 22

sshpass -p `cat bandit22` ssh bandit22@bandit.labs.overthewire.org -p 2220

---

💡 Understanding Cron Jobs in Depth

Let's dive deeper into how cron works and why it matters:

Cron Job Components

A cron job consists of:

1. Schedule — When to run (the five asterisks)
2. User — Who runs it (optional, defaults to root)
3. Command — What to execute
4. Output handling — Where output goes

Example breakdown:

* * * * * bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
│ │ │ │ │   │       │                              │
│ │ │ │ │   │       │                              └─ Discard output
│ │ │ │ │   │       └─ Script to execute
│ │ │ │ │   └─ Run as user bandit22
│ │ │ │ └─ Every day of week
│ │ │ └─ Every month
│ │ └─ Every day
│ └─ Every hour
└─ Every minute

Common Cron Patterns

Every minute:

* * * * * command

Every hour (at minute 0):

0 * * * * command

Every day at 2 AM:

0 2 * * * command

Every Monday at 9 AM:

0 9 * * 1 command

Every 5 minutes:

*/5 * * * * command

Cron Security Considerations

Cron jobs can be security risks:

Why they're dangerous:

• Run with elevated privileges (often as root or specific users)
• Execute automatically without user interaction
• Can be exploited if misconfigured
• May write to world-readable files
• Can execute scripts with vulnerabilities

Common issues:

• World-writable scripts
• Scripts in world-writable directories
• Permissive file permissions
• Scripts that can be modified by attackers
• Cron jobs that write sensitive data to accessible locations

---

🔒 Real-World Context

Why does this matter in penetration testing?

Cron jobs are a common privilege escalation vector. Here's how you'd approach this in a real assessment:

1. Finding Cron Jobs

During a penetration test, you'd look for cron jobs:

# System-wide cron jobs
cat /etc/crontab
ls -la /etc/cron.d/

# User-specific cron jobs
crontab -l                    # Current user
crontab -l -u username        # Specific user
ls -la /var/spool/cron/crontabs/

# Script directories
ls -la /etc/cron.hourly/
ls -la /etc/cron.daily/
ls -la /etc/cron.weekly/
ls -la /etc/cron.monthly/

Why: Cron jobs often run with elevated privileges and can be exploited.

2. Analyzing Cron Jobs

Once you find cron jobs, analyze them:

• What user runs it? — Root? Another privileged user?
• What does it execute? — Scripts? Commands?
• Where does it write? — World-readable files?
• Can you modify it? — World-writable scripts?
• What permissions does it set? — Does it create accessible files?

3. Common Cron Exploitation Techniques

World-writable scripts:

# If a cron job runs a script you can write to
echo "malicious code" > /path/to/script.sh
# Wait for cron to execute it

Path manipulation:

# If cron uses relative paths
export PATH=/tmp:$PATH
# Create malicious binary in /tmp

File permissions:

# If cron writes to world-readable files
# Just read the file (like Level 22)
cat /tmp/sensitive_file

Symlink attacks:

# If cron writes to predictable locations
ln -s /etc/passwd /tmp/predictable_name
# Wait for cron to overwrite /etc/passwd

4. Real-World Examples

Historical vulnerabilities:

• Cron jobs running scripts in world-writable directories
• Cron jobs writing sensitive data to temp files
• Cron jobs executing user-controlled input
• Cron jobs with path vulnerabilities

The skill you're learning: How to find and analyze automated processes. This is essential for:

• Privilege escalation
• Understanding system automation
• Finding security misconfigurations
• Exploiting scheduled tasks

---

🛠️ Alternative Methods

Here are different ways to approach Level 22:

Method 1: Direct File Reading (Recommended)

cd /etc/cron.d/
cat cronjob_bandit22
cat /usr/bin/cronjob_bandit22.sh
cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7nvs

Pros: Simple, direct, works immediately Cons: None really

Method 2: Using find to Locate Scripts

find /etc/cron.d -name "*22*" -exec cat {} \;
find /usr/bin -name "*bandit22*" -exec cat {} \;

Pros: Finds files automatically Cons: More complex, might find multiple files

Method 3: Monitoring the Temp Directory

# Watch the temp directory
watch -n 1 'ls -la /tmp/ | grep t7O6lds9S0RqQh9aMcz6ShpAoZKF7nvs'
# Then read it when it appears

Pros: Confirms the file is being created Cons: Unnecessary, file already exists

For Level 22, use Method 1 — it's the most straightforward.

---

🚨 Common Mistakes

Mistake 1: Not Reading the Cron File

Wrong: Assuming you need to wait for the cron job to run.

Right: Read the cron configuration to understand what it's doing.

Why: The cron job has already run (it runs every minute), so the file likely already exists. Even if it hasn't, reading the configuration tells you where to look.

Mistake 2: Not Understanding the Script

Wrong: Just reading the cron file without reading the script it executes.

Right: Read both the cron configuration and the script it runs.

Why: The cron file tells you what script runs, but the script tells you what it actually does (where it writes the password).

Mistake 3: Looking in the Wrong Directory

Wrong: Looking in /etc/crontab instead of /etc/cron.d/.

Right: Check /etc/cron.d/ as the objective specifies.

Why: Different systems use different locations. The objective tells you where to look.

Mistake 4: Not Checking File Permissions

Wrong: Assuming you can't read the temp file.

Right: Check permissions with ls -la and try reading it.

Why: The script sets permissions to 644, which means readable by all. Always check permissions before assuming you can't access something.

Mistake 5: Overthinking It

Wrong thinking: "I need to modify the cron job or wait for it to run."

Reality: The cron job has already written the password to a file you can read. Just read the file.

Solution: Follow the steps: read cron config → read script → read output file.

---

💻 Practice Exercise

Try these to reinforce what you learned:

1. List all cron jobs:

   cat /etc/crontab
   ls -la /etc/cron.d/
   

2. Check your own cron jobs:

   crontab -l
   

3. Understand cron syntax:

   # What does this mean?
   # 0 2 * * * /usr/bin/backup.sh
   # */15 * * * * /usr/bin/check.sh
   

4. Find scripts executed by cron:

   grep -r "cron" /etc/cron.d/ | grep -v "^#"
   

---

🎓 Understanding System Automation

This level introduces system automation concepts:

What Is System Automation?

System automation is the practice of running tasks automatically without manual intervention. In Linux, this is primarily done through:

• Cron — Time-based scheduling
• Systemd timers — Modern alternative to cron
• at — One-time scheduled tasks
• anacron — For systems that aren't always on

Why Automation Matters

Understanding automation is essential for:

• System administration
• Security auditing
• Privilege escalation
• Finding misconfigurations
• Understanding system behavior

The skill you're learning: How to find and analyze automated processes. This is fundamental for:

• Penetration testing
• System security
• Privilege escalation
• Security auditing

---

🔗 What's Next?

Level 23 will likely introduce another system concept or build on cron jobs. You'll continue building on the concepts you've learned about automation, file permissions, and privilege escalation.

Before moving on, make sure you:

• ✅ Understand what cron jobs are
• ✅ Know how to read cron configuration files
• ✅ Can find and analyze scheduled tasks
• ✅ Understand how cron jobs can be security vectors
• ✅ Know where to look for cron configurations

---

📚 Key Takeaways

After completing Level 22, you should understand:

1. Cron jobs — Time-based scheduled tasks
2. Cron syntax — How to read cron schedules
3. Cron locations — Where to find cron configurations
4. Security implications — How cron jobs can be exploited
5. Real-world application — How to find and analyze automated processes

---

🎯 Quick Reference

Concept	Explanation	Example
Cron	Time-based job scheduler	Runs commands automatically
Cron syntax	Five fields for schedule	* * * * * command
/etc/cron.d/	Directory for cron configs	ls /etc/cron.d/
Cron user	Who runs the command	* * * * * user command
Crontab	Cron table file	crontab -l

---

🔍 Advanced: Understanding Cron Internals

If you want to go deeper, here's how cron works:

Cron Daemon

The cron daemon (crond) runs continuously and:

1. Reads cron configuration files
2. Checks the current time
3. Executes commands when their schedule matches
4. Logs execution (usually to syslog)

Cron Execution

When a cron job executes:

1. Cron spawns a child process
2. Sets up environment variables
3. Runs the command as the specified user
4. Captures output (if not redirected)
5. Logs the execution

Security Considerations

Why cron is powerful:

• Runs with specified user privileges
• Executes automatically
• Can access system resources
• Runs even when users aren't logged in

Why cron is dangerous:

• Misconfigurations can lead to privilege escalation
• Scripts can be modified if permissions are wrong
• Output can leak sensitive information
• Can be used for persistence

---

Questions about Level 22, cron jobs, or scheduled tasks? Reach out directly:

• Email: m1k3@msquarellc.net
• Phone: (559) 670-3159
• Schedule: Book a free consultation

---

M Square LLC
Cybersecurity | Penetration Testing | No-Nonsense Advice