Level05 introduces automated task execution vulnerabilities through cron jobs and script exploitation. This challenge demonstrates how scheduled scripts that process files from world-writable directories can be exploited to execute arbitrary commands with elevated privileges. The level emphasizes understanding cron jobs, script behavior analysis, and exploiting predictable automated processes.
Upon logging into the system, I was greeted with an interesting message:
You have new mail.
This notification suggested that the system's mail functionality contained information relevant to this level. I checked the mail file:
cat /var/mail/level05The mail contained a cron job configuration:
*/2 * * * * su -c "sh /usr/sbin/openarenaserver" - flag05
This line revealed critical information about an automated process. Let me explain the cron syntax:
*/2in the minute field means "every 2 minutes"* * * *for hour, day of month, month, and day of week means "every hour, every day"su -c "sh /usr/sbin/openarenaserver" - flag05executes the script/usr/sbin/openarenaserveras the flag05 user
This cron job automatically runs a script called openarenaserver every 2 minutes with flag05's privileges. This was the key to exploiting this level - I needed to understand what this script does and how I could leverage it.
Based on the mail information, I knew to look for /usr/sbin/openarenaserver. To confirm its existence and find any related files, I searched the system:
grep -R "openarenaserver" /etc /opt /usr /var 2>/dev/nullThe search confirmed the script's location and also revealed the mail entries I had already found. I examined the script's contents:
cat /usr/sbin/openarenaserverThe script contained:
#!/bin/sh
for i in /opt/openarenaserver/* ; do
(ulimit -t 5; bash -x "$i")
rm -f "$i"
doneI verified the script's ownership and permissions:
ls -la /usr/sbin/openarenaserverOutput:
-rwxr-x--- 1 flag05 flag05 94 Mar 5 2016 /usr/sbin/openarenaserver
The script was owned by flag05, confirming it runs with flag05's privileges. Let me break down what the script does:
for i in /opt/openarenaserver/* ; do- Iterates through all files in the/opt/openarenaserver/directory(ulimit -t 5; bash -x "$i")- Executes each file as a bash script with a 5-second CPU time limitulimit -t 5restricts CPU time to prevent infinite loopsbash -x "$i"executes the file with the-xflag for debugging output
rm -f "$i"- Deletes the file after execution
The script essentially functions as an automated task runner that processes and executes any files placed in /opt/openarenaserver/, then removes them.
The combination of the cron job and the script's behavior created a significant vulnerability:
- The cron job runs every 2 minutes as flag05
- The script executes any files in
/opt/openarenaserver/with flag05's privileges - Files are automatically deleted after execution, covering some traces
- If I can place a malicious script in
/opt/openarenaserver/, it will be executed with elevated privileges
This is a classic example of an insecure automated task execution system. The script processes files from a directory without validating their contents or origin, and the predictable execution schedule makes exploitation straightforward.
To exploit this vulnerability, I needed to create a script that would execute getflag and save the output to a location where I had read access. The /tmp directory is world-writable and perfect for this purpose.
I created the exploit script:
#!/bin/bash
getflag > /tmp/flagThis simple script does the following:
- Executes
getflagwhich will run with flag05's privileges - Redirects the output (the flag) to
/tmp/flag - Creates the output file with permissions allowing me to read it
I saved this script to /opt/openarenaserver/ with executable permissions so the script was now in place, waiting for the next cron job execution.
After waiting approximately 2 minutes for the cron job to execute, I retrieved the flag. Since /tmp doesn't allow directory listing by default, I accessed the file directly:
cat /tmp/flagThe flag was successfully retrieved: viuaaale9huek52boumoomioc
The exploit worked because:
- The cron job ran as scheduled
- The openarenaserver script executed my malicious script with flag05's privileges
getflagran successfully and wrote the flag to/tmp/flag- My script was automatically deleted by the openarenaserver script
- The output file remained accessible for me to read
Level05 demonstrated the security risks associated with automated processes that execute files from predictable locations. This vulnerability pattern is particularly dangerous because it combines several security weaknesses:
- Information disclosure - The system mail revealed the cron job configuration, making the attack path obvious
- Scheduled execution with elevated privileges - The cron job runs as flag05
- Predictable behavior - The script executes every 2 minutes like clockwork
- World-writable directory processing - Any user can place files in
/opt/openarenaserver/ - No input validation - The script executes files without checking their contents or origin
- Automatic cleanup - File deletion can help attackers cover their tracks
The "You have new mail" message proved to be the critical starting point, leading directly to discovering the cron job configuration. This type of vulnerability is common in production environments where automated processes need to handle user-submitted jobs or tasks. The key lesson is that any directory processed by an automated system with elevated privileges must have strict access controls, and the processing script should validate and sanitize inputs before execution.
Modern systems should implement proper job queuing mechanisms with authentication, authorization, and input validation rather than relying on simple file-based task execution from shared directories.
Flag: viuaaale9huek52boumoomioc
Next Level: Level06