Level 15: Strace.

Strace is an important command that will be used through out any *Nix security research.

strace /home/flag15/flag15

Here we can see a number of binaries attempting to be loaded/linked. strace shows a few odd files, but the biggest is libc.so.6. This is the GNU C Library. If a library can some how be linked and called, then in essence we can achieve arbitrary code execution.

If a library could be called, which of the paths would be best to store it? /var/tmp/flag15/

Often developers think that constructors don’t exist in C. Here we see, we can create a shared library with a constructor that is called and executed on link. We also have a finalizer (C# kind of language here, but a destructor if you will).

Here we create the C file and build it as a shared lib.

Now we link and attempt to run the flag program.

No dice yet. From the errors we can see that static files are needed. Recompiling and calling the flag, we still receive an error but system is now called and our code writes the flag 15.

Level 16: Our final level in the Nebula Series. **Note that we will add a number of levels for day one of our workshop to practice with some more advanced priv esc attacks, so please keep this VM.

Level 16 has a perl shell script running on an open port. Looking at the code and the directory, we are going to login, it will check userdb.txt and then tell us if we are in or not. Pretty standard from what we have experienced thus far.

Looking at the code, we see we supply information to the program and where there is user supplied info, there are possible abuse cases.

We connect and we can see supplying just returns a bad request. Now reusing netcat, let’s try to get the index.cgi with parameters.

Now we can pass parameters and begin attacking the cgi file. We know that the username will go through a TOUPPER, converting it to all uppercase. Is there a way around that? 

 @output = `egrep "^$username" /home/flag16/userdb.txt 2>&1`;

So, creating a C program in /tmp we can attempt to execute our prog through username.

Now url encoding our /*/FL16 file and passing in the content type, we can get the program to run and get our flag.

Hope you enjoyed!