In this challenge, we can see that there’s no code for us to exploit, it’s something in the system. I log in to the system, and look in the /home/flag03 folder, as all the other challenges have started. I see there’s a writable.sh script, which I was guessing was the script getting called on a crontab every couple minutes.
1 2 3 4 5 6
So this script looks like it will execute anything in the writable.d folder that we put in there. And after some tinkering, I can see that it’s running it as the flag03 user that we want to escalate to.
My first thoughts were to create a bash script like previous challenges, and have it get created with SUID permissions. However this didn’t work, because apparently bash ignores the SUID bit, for security reasons. I then read up on using perl, but couldn’t get it to work, due to perl’s built in protection. Lastly, I settled on just good old C/C++. I spent forever messing around with this, because I was always setting the uid, but never the euid. When I forgot that, it would run bash, but I’d be the same user. I created this source file, and saved it to /tmp/level03.c
1 2 3 4 5 6 7 8 9 10 11 12
NOTE: The “996” is the userid and groupid for flag03. I found this by just doing
Now that I have a source file, I need to get the flag03 user to compile it, and mark it SUID, so that when it runs, it works as the user specified. I did it by using the following command:
This will create a bash script to get picked up by the cron job. It first compiles the /tmp/level03.c code file and outputs the binary to /home/flag03/level03. Afterwards it sets the permissions to allow executing (and more technically) as well as SUID. After this command, I had to wait a couple minutes for it to get picked up by the cron job, but then I ran it, and got access to flag03.
1 2 3