blog.ferling.eu by Benedikt Ferling


 

exploit-exercises.com/nebula -- Level 03

Problem

  1. Usage of lazy permissions!

This level uses a workflow to do some work. Within this workflow a cronjob is run every couple of minutes running every script inside a world writable folder. Any script inside that folder, put there by any user, will eventually get executed using the rights of flag03.

Exploit

There is a file called writable.sh and a directory called writable.d inside the directory /home/flag03.

As one can see, the script iterates over every file in the folder /home/flag03/writable.d and executes it. ulimit -t 5 gives the script 5 seconds of cpu-time for each execution to do whatever the script is doing. Create a file foo inside that directory:

1
echo 'getflag >/tmp/flag03' > /home/flag03/writable.d/foo

Wait until the file has been executed and look for the flag:

1
2
while [[ ! -f /tmp/flag03 ]] ; do echo -n . ; sleep 1 ; done ; echo 'win!!!'
cat /tmp/flag03

Lesson / How to fix

  1. Use restrict permissions!

In this workflow any user may serve a script, that is eventually executed in the name of flag03. One should always know who is involved into a workflow and what these persone/entities can do.

In order to secure this level, use restrict permissions! I repeat, as this is really important! Do not use default permit, i.e. letting everybody do anything in the name of flag03 (in this case)!

1
chmod 0750 /home/flag03/writable.d

other levels…

00 01 02 03 04 05 06 07 08 09
10 11 12 13 14 15 16 17 18 19