Check the home directory of flag03 and take note of the files there.
There is a crontab that is called every couple of minutes.
To do this level, log in as the level03 account with the password level03 . Files for this level can be found in /home/flag03.
Listing of the
/home/flag03 looks like this:
writeable.sh you’ll know that it basically executes any file within
ulimit -t 5 limitation and then removes it.
The first thing that popped to my mind is to just try execute
/bin/getflag but that didn’t work (technically it worked but you need to redirect your output).
However the easiest way to get the flag here is to write a little C wrapper for executing
/bin/getflag and set SUID bit on the binary. (The way SUID works, basically, is that it lets the user run programs with the privileges of the owner of a file; So here the owner is the process that actually compiled it and SUID let us run it).
Source code of the wrapper:
Next I created the file under
writeable.d/ directory called
foobar with following line
gcc /tmp/getflag.c -o getflag && chmod +s getflag and waited couple of minutes for
cron to do its job. After that you just need to run
/home/flag03/getflag. Boom goes the dynamite.