[vulnerability 1] The crontab is executed in a every few minutes. I checked that the level03 account has no relationship with the crontab. I guess that it is crontab activities of the other account such as flag03 or root.
[vulnerability 2] Permission of the writable.d directory is set so that all users can access.
[vulnerability 3] The Writable.sh executes all the files in /home/falg03/writable.d/ directory.