Exploit-Exercises Nebula level03
wargamesCheck the home directory of
flag03
and take note of the files there.
There is a crontab that is called every couple of minutes.
To do this level, log in as the
level03
account with the passwordlevel03
. Files for this level can be found in/home/flag03
.
In the /home/flag03
directory, we can find one shell script and a sub directory.
The script simply deletes every item in the /home/flag03/writable.d
directory when called by the cron job.
#!/bin/sh
for i in /home/flag03/writable.d/* ; do
(ulimit -t 5; bash -x "$i")
rm -f "$i"
done
The debugger bash -x
made this script vulnerable. It will execute $i
, which holds our script to trigger the getflag.