Post

Exploit Exercises: Nebula Level 06

Posted
By Lucian Nitescu 3 min read

Image of Nebula Terminal

The flag06 account credentials came from a legacy unix system. To do this level, log in as the level06 account with the password level06. Files for this level can be found in /home/flag06.

Source code

There is no source code available for this level.

Solution

Well this exercises is so easy that I do not know why am I writing it anymore. Our first, and final hint, was: “The flag06 account credentials came from a legacy unix system.” In other words let’s see what we have in /etc/passwd or /etc/shadow.

/etc/shadow:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70

level06@nebula:~$ cat /etc/shadow
cat: /etc/shadow: Permission denied
level06@nebula:~$
Of course, we do not have any kind of permission on /etc/shadow system file.
/etc/passwd:
level06@nebula:~$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false
messagebus:x:102:104::/var/run/dbus:/bin/false
nebula:x:1000:1000:nebula,,,:/home/nebula:/bin/bash
sshd:x:103:65534::/var/run/sshd:/usr/sbin/nologin
level00:x:1001:1001::/home/level00:/bin/sh
flag00:x:999:999::/home/flag00:/bin/sh
level01:x:1002:1002::/home/level01:/bin/sh
flag01:x:998:998::/home/flag01:/bin/sh
level02:x:1003:1003::/home/level02:/bin/sh
flag02:x:997:997::/home/flag02:/bin/sh
level03:x:1004:1004::/home/level03:/bin/sh
flag03:x:996:996::/home/flag03:/bin/sh
level04:x:1005:1005::/home/level04:/bin/sh
flag04:x:995:995::/home/flag04:/bin/sh
level05:x:1006:1006::/home/level05:/bin/sh
flag05:x:994:994::/home/flag05:/bin/sh
level06:x:1007:1007::/home/level06:/bin/sh
flag06:ueqwOCnSGdsuM:993:993::/home/flag06:/bin/sh
level07:x:1008:1008::/home/level07:/bin/sh
flag07:x:992:992::/home/flag07:/bin/sh
level08:x:1009:1009::/home/level08:/bin/sh
flag08:x:991:991::/home/flag08:/bin/sh
level09:x:1010:1010::/home/level09:/bin/sh
flag09:x:990:990::/home/flag09:/bin/sh
level10:x:1011:1011::/home/level10:/bin/sh
flag10:x:989:989::/home/flag10:/bin/sh
level11:x:1012:1012::/home/level11:/bin/sh
flag11:x:988:988::/home/flag11:/bin/sh
level12:x:1013:1013::/home/level12:/bin/sh
flag12:x:987:987::/home/flag12:/bin/sh
level13:x:1014:1014::/home/level13:/bin/sh
flag13:x:986:986::/home/flag13:/bin/sh
level14:x:1015:1015::/home/level14:/bin/sh
flag14:x:985:985::/home/flag14:/bin/sh
level15:x:1016:1016::/home/level15:/bin/sh
flag15:x:984:984::/home/flag15:/bin/sh
level16:x:1017:1017::/home/level16:/bin/sh
flag16:x:983:983::/home/flag16:/bin/sh
level17:x:1018:1018::/home/level17:/bin/sh
flag17:x:982:982::/home/flag17:/bin/sh
level18:x:1019:1019::/home/level18:/bin/sh
flag18:x:981:981::/home/flag18:/bin/sh
level19:x:1020:1020::/home/level19:/bin/sh
flag19:x:980:980::/home/flag19:/bin/sh
level06@nebula:~$

Jakpot! We got “flag06:ueqwOCnSGdsuM:993:993::/home/flag06:/bin/sh”, meaning we got the hash of the password of the flag06 account. How we actually retrieve the password of the flag06 account? Simple:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22

nli@mysystem:~$ sudo apt install john
Fetched 4.447 kB in 2s (1.649 kB/s)
Selecting previously unselected package john-data.
(Reading database ... 407903 files and directories currently installed.)
Preparing to unpack .../john-data_1.8.0-2_all.deb ...
Unpacking john-data (1.8.0-2) ...
Selecting previously unselected package john.
Preparing to unpack .../john_1.8.0-2_amd64.deb ...
Unpacking john (1.8.0-2) ...
Processing triggers for man-db (2.7.5-1) ...
Setting up john-data (1.8.0-2) ...
Setting up john (1.8.0-2) ...
nli@mysystem:~$ echo 'flag06:ueqwOCnSGdsuM:993:993::/home/flag06:/bin/sh' > ./flag06.passwd
nli@mysystem:~$ john ./flag06.passwd
Created directory: /home/nli/.john
Loaded 1 password hash (descrypt, traditional crypt(3) [DES 128/128 SSE2-16])
Press 'q' or Ctrl-C to abort, almost any other key for status
hello            (flag06)
1g 0:00:00:00 100% 2/3 33.33g/s 25100p/s 25100c/s 25100C/s 123456..marley
Use the "--show" option to display all of the cracked passwords reliably
Session completed
nli@mysystem:~$

Amazing the password was so strong. It took me 0:00:00:00 seconds to both guess, hash my guessed password and check my hash with the provided hash. As we can see the password is “hello”. For the grand final:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41

level06@nebula:~$ ssh flag06@localhost
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is ea:8d:09:1d:f1:69:e6:1e:55:c7:ec:e9:76:a1:37:f0.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts.

      _   __     __          __
     / | / /__  / /_  __  __/ /___ _
    /  |/ / _ \/ __ \/ / / / / __ `/
   / /|  /  __/ /_/ / /_/ / / /_/ /
  /_/ |_/\___/_.___/\__,_/_/\__,_/

    exploit-exercises.com/nebula


For level descriptions, please see the above URL.

To log in, use the username of "levelXX" and password "levelXX", where
XX is the level number.

Currently there are 20 levels (00 - 19).


flag06@localhost's password:
Welcome to Ubuntu 11.10 (GNU/Linux 3.0.0-12-generic i686)

 * Documentation:  https://help.ubuntu.com/
New release '12.04 LTS' available.
Run 'do-release-upgrade' to upgrade to it.


The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

flag06@nebula:~$ getflag
You have successfully executed getflag on a target account
flag06@nebula:~$

If you enjoyed this tutorial then share and like!

nebula, writeups
nebula writeups level exploit exercise tutorial solution
This post is licensed under CC BY 4.0 by the author.