First, go to the flag03 directory and check the files there.
there is a shell script file and a directory. There is also something suspicious shell script file, let's open it.
The script means that The writable.sh executes all script files in the writable.d directory with Bash shell and removes it after 5 seconds. The script seems to be repeatedly executed.
Let's induce crontab to create an executable file with SetUID authority. This file will execute Bash shell.
We need a binary executable file because SetUID authority does not operate in a shell script
Ash(Attack shell) Induces that crontab compiles the source code and configures SetUID authority.
And create a Asw (Attack software) to be compiled as below
Configure realUID, effective UID, saved set-user-ID as flag03's UID. This function only operate if special authority SetUID is configured.
I was just curious so I inserted the whoami command for checking effective UID.
Finally, It attemps to change the authority with running the /bin/bash.
Put the created shell script in the writable.d directory.
A few minutes later, we can see that the missing Ash file.
And Asw file is created. flag03 is owner, It is configured SetUID authority.
If Asw file is executed, we can know that the shell of the flag03's authorization is executed.
Clear level03 with getflag command.