Exploit Exercices, Nebula – level03

Check the home directory of flag03 and take note of the files there. There is a crontab that is called every couple of minutes. Files for this level can be found in /home/flag03.

First, let’s check the home directory of our target flag03:

Exploit Exercises Nebula Level03

Ok we have an empty directory with full access and a shell script who looks like this:

for i in /home/flag03/writable.d/* ; do
  (ulimit -t 5; bash -x "$i")
  rm -f "$i"

It looks simple: it tries to execute each file in writable.d directory then delete them. We don’t care about ulimit here, it’s just used to prevent cpu overloading from malicious script (each process will be killed after 5scd). Note that there is no check about the owner of this famous files.

So we can write a little script which will execute the getflag command et output the result in a text file:

getflag > /tmp/output

Put it in the writable.d directory:

Exploit Exercises Nebula Level03

Wait a minute for the cron et voila!

Exploit Exercises Nebula Level03

Note: this his the easy way. Another solution would be to copy a shell somewhere with the suid bit, but Nebula seems to be patched to disallow suid shell so you have to write a program in another language like C.