Solved.tips

Level: https://exploit-exercises.com/nebula/level09/ There’s a C setuid wrapper for some vulnerable PHP code… To do this level, log in as the level09 account with the password level09. Files for this level can be found in /home/flag09. Using the e modifier is dangerous and has been removed as of PHP 7.0.0. It allows PHP code in the second argument. There is a $useme parameter which might come in handy. So what happens is you pass it a file and it looks for…

Read More Read More

Level: https://exploit-exercises.com/nebula/level08/ World readable files strike again. Check what that user was up to, and use it to log into flag08 account. To do this level, log in as the level08 account with the password level08. Files for this level can be found in /home/flag08. What’s that capture.pcap? Lets load that in Wireshark. Lets open our Kali VM. Open capture.pcap in Wireshark. Right click on the first entry, mouse over Follow and click on TCP Stream. This shows us some…

Read More Read More

Level: https://exploit-exercises.com/nebula/level07/ The flag07 user was writing their very first perl program that allowed them to ping hosts to see if they were reachable from the web server. To do this level, log in as the level07 account with the password level07. Files for this level can be found in /home/flag07. … The program allows command injection via ?Host= Lets set it to localhost; getflag But how do we run it? There is a thttpd.conf in that directory, can we…

Read More Read More

Level: https://exploit-exercises.com/nebula/level06/ The flag06 account credentials came from a legacy unix system. To do this level, log in as the level06 account with the password level06. Files for this level can be found in /home/flag06. Gives us flag06:ueqwOCnSGdsuM:993:993::/home/flag06:/bin/sh Now fire up Kali because we need to use John the Ripper flag06:hello:993:993::/home/flag06:/bin/sh Our password is hello Back on the Nebula system: You have successfully executed getflag on a target account.

Level: https://exploit-exercises.com/nebula/level04/ Check the flag05 home directory. You are looking for weak directory permissions To do this level, log in as the level05 account with the password level05. Files for this level can be found in /home/flag05. You have successfully executed getflag on a target account.

Level: https://exploit-exercises.com/nebula/level04/ This level requires you to read the token file, but the code restricts the files that can be read. Find a way to bypass it :) To do this level, log in as the level04 account with the password level04. Files for this level can be found in /home/flag04. We can bypass this check by creating a symbolic link. And you’ll see the token in the output.

Level: https://exploit-exercises.com/nebula/level03/ Check the home directory of flag03 and take note of the files there. There is a crontab that is called every couple of minutes. To do this level, log in as the level03 account with the password level03. Files for this level can be found in /home/flag03. writeable.sh executes bash -x for every file in writeable.d writeable.d is world writeable so place our own file. Wait for a bit than run cat /home/flag03/flag to make sure getflag ran….

Read More Read More

Level: https://exploit-exercises.com/nebula/level02/ There is a vulnerability in the below program that allows arbitrary programs to be executed, can you find it? To do this level, log in as the level02 account with the password level02. Files for this level can be found in /home/flag02. `c++ asprintf(&buffer, “/bin/echo %s is cool”, getenv(“USER”)); //command injection printf(“about to call system(\”%s\”)\n”, buffer); system(buffer); You have successfully executed getflag on a target account.

Level: https://exploit-exercises.com/nebula/level01/ There is a vulnerability in the below program that allows arbitrary programs to be executed, can you find it? To do this level, log in as the level01 account with the password level01. Files for this level can be found in /home/flag01. /home/flag01/flag01 has the setuid bit set so it will run as the owner (flag01). `c++ system(“/usr/bin/env echo and now what?”); You have successfully executed getflag on a target account.

Start: https://exploit-exercises.com/nebula/ Level: https://exploit-exercises.com/nebula/level00/ Download: https://exploit-exercises.com/download/ SHA256: da2e6ba445b630fd07f0bb0d2866491fc898f0429d9d380e1ebbf24f3e407d3f I used Linux/Ubuntu setting in VMWare. This level requires you to find a Set User ID program that will run as the “flag00” account. You have successfully executed getflag on a target account. -rwsr-x— The s indicates setuid.