Check the home directory of flag03 and take note of the files there. There is a crontab that is called every couple of minutes. Files for this level can be found in /home/flag03.
First, let’s check the home directory of our target
Ok we have an empty directory with full access and a shell script who looks like this:
for i in /home/flag03/writable.d/* ; do
(ulimit -t 5; bash -x "$i")
rm -f "$i"
It looks simple: it tries to execute each file in
writable.d directory then delete them.
We don’t care about ulimit here,
it’s just used to prevent cpu overloading from malicious script (each process will be killed after 5scd).
Note that there is no check about the owner of this famous files.
So we can write a little script which will execute the
getflag command et output the result in a text file:
getflag > /tmp/output
Put it in the
Wait a minute for the cron et voila!
Note: this his the easy way. Another solution would be to copy a shell somewhere with the suid bit, but Nebula seems to be patched to disallow suid shell so you have to write a program in another language like C.