Exploit Exercises - Nebula 08

2 minute read Dec 9, 2011 Comments
Challenge 08 is more of a real-world challenge than some of the others have been. It’s also very dear to my heart, getting back to my networking roots. You are instructed simply to check out what the level08 user has been up to. This is fairly easy, since when you login as level08, you see a “capture.pcap” file in their home folder. A pcap file is a standard packet capture file format.

Exploit Exercises - Nebula 07

3 minute read Dec 8, 2011 Comments
This next challenge is a little bit more tricky than some of the previous ones. There’s a lot more code involved, but it’s not too bad. In the flag07 home directory, you’ll find the configuration for a simple http server, thttpd.conf. Inside, you’ll find that it’s running an HTTP server on port 7007 as the flag07 user. This is where the perl script that is provided comes in. #!/usr/bin/perl use CGI qw{param}; print "Content-type: text/html\n\n"; sub ping { $host = $_[0]; print("<html><head><title>Ping results</title></head><body><pre>"); @output = `ping -c 3 $host 2>&1`; foreach $line (@output) { print "$line"; } print("</pre></body></html>"); } # check if Host set.

Exploit Exercises - Nebula 06

2 minute read Dec 7, 2011 Comments
Nebula 06 is a retro challenge. The description of the problem says “The flag06 account credentials came from a legacy unix system.” This instantly made me think to check out the password file, /etc/passwd. Back in “the old days”, unix systems stored their passwords in /etc/passwd. But due to having the passwords where everyone could see them, they ended up moving towards password shadowing, where they stored the actual passwords in /etc/shadow, but kept the same user data in /etc/passwd.

Exploit Exercises - Nebula 05

2 minute read Dec 6, 2011 Comments
So going forward to the Nebula 05, we now have to find some sort of weak permissions somewhere to escalate from level05 to flag05. In searching through the flag05 home directory, I saw a “.backup” folder containing a copy of the user’s old ssh keys. I extracted the archive to the level05 user’s directory, so they could be used. level05@nebula:/home/flag05$ cd .backup level05@nebula:/home/flag05/.backup$ tar -xzvf backup-19072011.tgz -C /home/level05 .ssh/ .ssh/id_rsa.pub .

Exploit Exercises - Nebula 04

2 minute read Dec 5, 2011 Comments
I really like Nebula 04, because it is really easy, but still a commonly missed thing in programming. The object of this challenge is to find a vulnerability and exploit this C++ program. #include <stdlib.h> #include <unistd.h> #include <string.h> #include <sys/types.h> #include <stdio.h> #include <fcntl.h> int main(int argc, char **argv, char **envp) { char buf[1024]; int fd, rc; if(argc == 1) { printf("%s [file to read]\n", argv[0]); exit(EXIT_FAILURE); } if(strstr(argv[1], "token") !

Exploit Exercises - Nebula 03

2 minute read Dec 4, 2011 Comments
In this challenge, we can see that there’s no code for us to exploit, it’s something in the system. I log in to the system, and look in the /home/flag03 folder, as all the other challenges have started. I see there’s a writable.sh script, which I was guessing was the script getting called on a crontab every couple minutes. It contained: #!/bin/sh for i in /home/flag03/writable.d/* ; do (ulimit -t 5; bash -x "$i") rm -f "$i" done So this script looks like it will execute anything in the writable.

Exploit Exercises - Nebula 02

2 minute read Dec 3, 2011 Comments
In this challenge, we’re again provided with the source code to the vulnerable program. Only this time, they’re not loading the “echo” program from the environment’s path. #include <stdlib.h> #include <unistd.h> #include <string.h> #include <sys/types.h> #include <stdio.h> int main(int argc, char **argv, char **envp) { char *buffer; gid_t gid; uid_t uid; gid = getegid(); uid = geteuid(); setresgid(gid, gid, gid); setresuid(uid, uid, uid); buffer = NULL; asprintf(&buffer, "/bin/echo %s is cool", getenv("USER")); printf("about to call system(\"%s\")\n", buffer); system(buffer); } What I did initially notice here, is that the “USER” variable is being called directly from the environment.

Exploit Exercises - Nebula 01

2 minute read Dec 2, 2011 Comments
Continuing from my previous post, I started tinkering with the next Nebula wargame: Nebula 01. This one gives you some C code, which has a bug in it. You have to exploit that bug. #include <stdlib.h> #include <stdlib.h> #include <unistd.h> #include <string.h> #include <sys/types.h> #include <stdio.h> int main(int argc, char **argv, char **envp) { gid_t gid; uid_t uid; gid = getegid(); uid = geteuid(); setresgid(gid, gid, gid); setresuid(uid, uid, uid); system("/usr/bin/env echo and now what?

Exploit Exercises - Nebula 00

2 minute read Dec 1, 2011 Comments
Recently, I’ve been getting more and more back into computer security, one of my favorite topics. Part of this is research, and part is more practical, such as wargames or labs. One newer wargame that I’ve been playing is called “Nebula”, from the guys over at Exploit-Exercises. If you’re interested in security, please check out their site, as well as many other wargames. If this goes successfully, perhaps I’ll start going through my notes of otherwargames, publishing them as well.
Page 6 of 6 3 4 5 6