Exploit-Exercises Nebula level03

Check the home directory of flag03 and take note of the files there.

There is a crontab that is called every couple of minutes.

To do this level, log in as the level03 account with the password level03. Files for this level can be found in /home/flag03.

This is an image

In the /home/flag03 directory, we can find one shell script and a sub directory.
The script simply deletes every item in the /home/flag03/writable.d directory when called by the cron job.


for i in /home/flag03/writable.d/* ; do
    (ulimit -t 5; bash -x "$i")
    rm -f "$i"

The debugger bash -x made this script vulnerable. It will execute $i, which holds our script to trigger the getflag.