Level03 is no longer about SUID vulnerable programs like previous exercises, but about permissions. Because I just learn about SUID programs in the last challenges, I’ll create my own in order to solve this exercise.
What you’ll need to know…
- Cron jobs
- C/Bash programming
- Basic Unix command
Level03
In this challenge, we are given the information that there is a cron running every couple minutes. If you navigate to flag03 folder, you’ll notice a file, writable.sh, which has some interesting code.
I find the code pretty straightforward, except the ulimit and bash -x commands. Basically, ulimit will assign the processor to this process for 5 seconds. Bash command will execute every single file/program which is in the writable.d folder. After this, all the content of this folder is erased. One thing very important, is that all the files inside writable.d folder will be ran as flag03 user account.
So, the first thing that comes to my mind, is to place there a script which will give me a shell.
So I wrote a simple script in order to get a shell.
In this script I’m basically creating a C program, the one responsible for giving me a shell, and after that I just give full permissions to the file, compile it and set the SUID bit.
Notice that I could have written the C program in a different file, avoiding this long and confusing script. But this way I get to practice my shell scripting skills (practice makes perfect, right? 🙂 ).
After you write your script, just copy it to the writable.d folder and the cron job will execute it.
Now you just need to wait a “couple of minutes” and then, you’ll see the writable.d folder empty and a new file at /home/flag03.
Notice that moveaxme is a SUID program. Now let’s execute it and see the final result.
Challenges completed: 4/20
Mitigation
Running everything in a folder blindly??? C’mon…
Walkthrough
https://youtube.com/watch?v=hxjN-xASoaw%3Fstart%3D230%26feature%3Doembed