Skip to content

Nebula Level03: A Newbie’s Approach

Level03 is no longer about SUID vulnerable programs like previous exercises, but about permissions. Because I just learn about SUID programs in the last challenges, I’ll create my own in order to solve this exercise.

What you’ll need to know…

  • Cron jobs
  • C/Bash programming
  • Basic Unix command

 

Level03

In this challenge, we are given the information that there is a cron running every couple minutes. If you navigate to flag03 folder, you’ll notice a file, writable.sh, which has some interesting code.

I find the code pretty straightforward, except the ulimit and bash -x commands. Basically, ulimit will assign the processor to this process for 5 seconds. Bash command will execute every single file/program which is in the writable.d folder. After this, all the content of this folder is erased. One thing very important, is that all the files inside writable.d folder will be ran as flag03 user account.

So, the first thing that comes to my mind, is to place there a script which will give me a shell.

So I wrote a simple script in order to get a shell.

script

In this script I’m basically creating a C program, the one responsible for giving me a shell, and after that I just give full permissions to the file, compile it and set the SUID bit.

Notice that I could have written the C program in a different file, avoiding this long and confusing script. But this way I get to practice my shell scripting skills (practice makes perfect, right? 🙂 ).

After you write your script, just copy it to the writable.d folder and the cron job will execute it.

Now you just need to wait a “couple of minutes” and then, you’ll see the writable.d folder empty and a new file at /home/flag03.

Solution of Level03

Notice that moveaxme is a SUID program. Now let’s execute it and see the final result.

result

Challenges completed: 4/20

 

Mitigation

Running everything in a folder blindly??? C’mon…

 

Walkthrough

 

Further Reading

Published inNebula

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *