Exploit Exercises Nebula 5: Level 09 Write Up

Exploit Exercises Nebula 5: Level 09 Write Up

Level: https://exploit-exercises.com/nebula/level09/ There’s a C setuid wrapper for some vulnerable PHP code… To do this level, log in as the level09 account with the password level09. Files for this level can be found in /home/flag09. Using the e modifier is dangerous and has been removed as of PHP 7.0.0. It allows PHP code in the second argument. There is a $useme parameter which might come in handy. So what happens is you pass it a file and it looks for…

Read More Read More

Exploit Exercises Nebula 5: Level 08 Write Up

Exploit Exercises Nebula 5: Level 08 Write Up

Level: https://exploit-exercises.com/nebula/level08/ World readable files strike again. Check what that user was up to, and use it to log into flag08 account. To do this level, log in as the level08 account with the password level08. Files for this level can be found in /home/flag08. What’s that capture.pcap? Lets load that in Wireshark. Lets open our Kali VM. Open capture.pcap in Wireshark. Right click on the first entry, mouse over Follow and click on TCP Stream. This shows us some…

Read More Read More

Exploit Exercises Nebula 5: Level 07 Write Up

Exploit Exercises Nebula 5: Level 07 Write Up

Level: https://exploit-exercises.com/nebula/level07/ The flag07 user was writing their very first perl program that allowed them to ping hosts to see if they were reachable from the web server. To do this level, log in as the level07 account with the password level07. Files for this level can be found in /home/flag07. … The program allows command injection via ?Host= Lets set it to localhost; getflag But how do we run it? There is a thttpd.conf in that directory, can we…

Read More Read More

Exploit Exercises Nebula 5: Level 06 Write Up

Exploit Exercises Nebula 5: Level 06 Write Up

Level: https://exploit-exercises.com/nebula/level06/ The flag06 account credentials came from a legacy unix system. To do this level, log in as the level06 account with the password level06. Files for this level can be found in /home/flag06. Gives us flag06:ueqwOCnSGdsuM:993:993::/home/flag06:/bin/sh Now fire up Kali because we need to use John the Ripper flag06:hello:993:993::/home/flag06:/bin/sh Our password is hello Back on the Nebula system: You have successfully executed getflag on a target account.

Exploit Exercises Nebula 5: Level 05 Write Up

Exploit Exercises Nebula 5: Level 05 Write Up

Level: https://exploit-exercises.com/nebula/level04/ Check the flag05 home directory. You are looking for weak directory permissions To do this level, log in as the level05 account with the password level05. Files for this level can be found in /home/flag05. You have successfully executed getflag on a target account.