Exploit-Exercises Nebula level03wargames
Check the home directory of
flag03and take note of the files there.
There is a crontab that is called every couple of minutes.
To do this level, log in as the
level03account with the password
level03. Files for this level can be found in
/home/flag03 directory, we can find one shell script and a sub directory.
The script simply deletes every item in the
/home/flag03/writable.d directory when called by the cron job.
#!/bin/sh for i in /home/flag03/writable.d/* ; do (ulimit -t 5; bash -x "$i") rm -f "$i" done
bash -x made this script vulnerable. It will execute
$i, which holds our script to trigger the getflag.