Exploit Exercises Nebula 5: Level 04 Write Up

Exploit Exercises Nebula 5: Level 04 Write Up

Level: https://exploit-exercises.com/nebula/level04/ This level requires you to read the token file, but the code restricts the files that can be read. Find a way to bypass it :) To do this level, log in as the level04 account with the password level04. Files for this level can be found in /home/flag04. We can bypass this check by creating a symbolic link. And you’ll see the token in the output.

Exploit Exercises Nebula 5: Level 03 Write Up

Exploit Exercises Nebula 5: Level 03 Write Up

Level: https://exploit-exercises.com/nebula/level03/ Check the home directory of flag03 and take note of the files there. There is a crontab that is called every couple of minutes. To do this level, log in as the level03 account with the password level03. Files for this level can be found in /home/flag03. writeable.sh executes bash -x for every file in writeable.d writeable.d is world writeable so place our own file. Wait for a bit than run cat /home/flag03/flag to make sure getflag ran….

Read More Read More

Exploit Exercises Nebula 5: Level 02 Write Up

Exploit Exercises Nebula 5: Level 02 Write Up

Level: https://exploit-exercises.com/nebula/level02/ There is a vulnerability in the below program that allows arbitrary programs to be executed, can you find it? To do this level, log in as the level02 account with the password level02. Files for this level can be found in /home/flag02. `c++ asprintf(&buffer, “/bin/echo %s is cool”, getenv(“USER”)); //command injection printf(“about to call system(\”%s\”)\n”, buffer); system(buffer); You have successfully executed getflag on a target account.

Exploit Exercises Nebula 5: Level 01 Write Up

Exploit Exercises Nebula 5: Level 01 Write Up

Level: https://exploit-exercises.com/nebula/level01/ There is a vulnerability in the below program that allows arbitrary programs to be executed, can you find it? To do this level, log in as the level01 account with the password level01. Files for this level can be found in /home/flag01. /home/flag01/flag01 has the setuid bit set so it will run as the owner (flag01). `c++ system(“/usr/bin/env echo and now what?”); You have successfully executed getflag on a target account.

Exploit Exercises Nebula 5: Level 00 Write Up

Exploit Exercises Nebula 5: Level 00 Write Up

Start: https://exploit-exercises.com/nebula/ Level: https://exploit-exercises.com/nebula/level00/ Download: https://exploit-exercises.com/download/ SHA256: da2e6ba445b630fd07f0bb0d2866491fc898f0429d9d380e1ebbf24f3e407d3f I used Linux/Ubuntu setting in VMWare. This level requires you to find a Set User ID program that will run as the “flag00” account. You have successfully executed getflag on a target account. -rwsr-x— The s indicates setuid.