Exploit-Exercises Nebula level03
wargamesCheck the home directory of
flag03and take note of the files there.
There is a crontab that is called every couple of minutes.
To do this level, log in as the
level03account with the passwordlevel03. Files for this level can be found in/home/flag03.
In the /home/flag03 directory, we can find one shell script and a sub directory.
The script simply deletes every item in the /home/flag03/writable.d directory when called by the cron job.
#!/bin/sh
for i in /home/flag03/writable.d/* ; do
(ulimit -t 5; bash -x "$i")
rm -f "$i"
done
The debugger bash -x made this script vulnerable. It will execute $i, which holds our script to trigger the getflag.