Exploit Exercises Nebula — level03

Check the home directory of flag03 and take note of the files there.

There is a crontab that is called every couple of minutes.

To do this level, log in as the level03 account with the password level03 . Files for this level can be found in /home/flag03.

Listing of the /home/flag03 looks like this:

$ ls
writable.d/ writeable.sh

After reading writeable.sh you’ll know that it basically executes any file within writeable.d/ with ulimit -t 5 limitation and then removes it.

The first thing that popped to my mind is to just try execute /bin/getflag but that didn’t work (technically it worked but you need to redirect your output).

However the easiest way to get the flag here is to write a little C wrapper for executing /bin/getflag and set SUID bit on the binary. (The way SUID works, basically, is that it lets the user run programs with the privileges of the owner of a file; So here the owner is the process that actually compiled it and SUID let us run it).

Source code of the wrapper:

#include <stdio.h>
#include <stdlib.h>

int main(void)
{
system("/bin/getflag");
return 0;
}

Next I created the file under writeable.d/ directory called foobar with following line gcc /tmp/getflag.c -o getflag && chmod +s getflag and waited couple of minutes for cron to do its job. After that you just need to run /home/flag03/getflag. Boom goes the dynamite.