01/17/2016 (Note some images failed during import, some images reconstructed)
Exploit Exercises Nebula Solutions
The Nebula system teaches the basics of common *Nix attacks. These basic attacks, common misconfigurations, are an excellent way to teach us to think like an attacker. By developing this mindset, thinking outside the box and knowing what issues to look for, we can are off on the right foot.
This page contains the solutions to the Nebula problem set. These solutions should only be looked at after a thorough set of research has been conducted. Login will use LevelXX where XX is the level with the same password.
Problem: This level requires you to find a Set User ID program that will run as the “flag00” account. You could also find this by carefully looking in top level directories in / for suspicious looking directories.
Alternatively, look at the find man page.
Solution:
Clearly we need to find this program somewhere in the system. We can start by looking at the man page of find, or we can google for a solution to find suid programs in linux. Part of being a good security researcher, software developer or anyone in IT is developing your google FU (or duck duck go, like myself).
The first link shows to find files in linux, we can use find / -perms +4000 running this shows tons of access denied errors. So clearly we need to develop our Linux commands, so look for an example where we can filter these out. In Linux we can direct stderr to something like dev/null. find / -perm +4000 2>/dev/null
This still produces a significant amount of output. Piping it to more, using | more, the first items looks like a good candidate because it contains flag00. What can you do to reduce this even farther?
Level01: Here we have a vulnerable C program. Let’s review the code.
int main(int argc, char **argv, char **envp)
{
gid_t gid;
uid_t uid;
gid = getegid();
uid = geteuid();
setresgid(gid, gid, gid); // run man setresgid
setresuid(uid, uid, uid); // run man setresuid
system("/usr/bin/env echo and now what?");
}Anytime we have a function, we can use man pages to find details about it. *Tip: man -k searchItem can be used to search the man pages. So man -k gid_t does not return anything. Run man on setresgid. So these functions set the effective user/group id.
*Tip: If you are new to the C language, build this program, and insert print statements to figure out more in depth what can be done here. Use program gcc, man gcc, to figure out how to compile.
Running the program, we get just basic “And now what?”
Now, notice the system call. Notice the /usr/bin/env. In the command line, type which echo to see which echo we call.
So what is the issue here? It looks like the env is calling echo? How do we find out what env is? First we can run man env. This does not show much information, however at the bottom of the man page we see we can find additional info? So running the command shows what information and how can we use this new found info?
What does running this show? What can we gather from the displayed data? We can see paths here, and since our gathered info shows that we manipulate these paths, could this allow us to run a different echo? To reduce the data we see with env, we can run echo $PATH how can we add to it? Can we set a path in our current working directory or to /tmp?
Let’s created a simple echo program in c and use system to our advantage. Adding /tmp to our path. Now running the flag01, our prompt immediately returns. Now run getflag and we have escalated.
Level02: This program gives us source code and tells us to find a vulnerability.
int main(int argc, char **argv, char **envp)
{
char *buffer;
/* removed for space see above program */
buffer = NULL;
asprintf(&buffer, "/bin/echo %s is cool", getenv("USER"));
printf("about to call system(\"%s\")\n", buffer);
system(buffer);
}Section of code removed for space savings.
Auditing the code, we see a buffer that is set to null. A new function called asprintf (see man page), a new getenv() function, a printf function and a system function.
First run the program. Try to pass input.
From the above we can see that getenv is returning level02 and that is coming from an environment variable. Those are user controlled. Vulnerabilities typically come out from following user controller input. We can see that the string “/bin/echo XXX is cool” is called. This is directly executed.
How can more than one command be executed on the command line? Open the terminal and run /bin/echo. What ends a command and what can be put here to execute say, ls?
After playing on the terminal and figuring how that commands can be changed. Used what was learned in Level01 to adjust your USER variable.
Many real world exploits come from the fact that a user can control input. This command injection vulnerability has been exploited many times in the wild.
Level03: The Flag03 directory has a shell script and a directory. Attempting to run ./flag03 sayd the directory is empty.
The code looks to loop for each file in the directory, perform some commands and delete the files. Any command you do not understand should be explored in a console after reviewing the man page. *Note new *nix users, rm is remove!
Moving into the directory and running ls -la, we see no files. But note the green coloring? What does this indicate? So the directory is somehow writable by us. But how and even if we can put files in there what would one do?
Copy the script to your home directory or /tmp and test this example with your own folder. Often we test programs like this in our own environment to find solutions and to get a grasp of what is occurring. Or maybe you immediately see the issue?
Running the individual commands in the script produces a basic understanding of what is going on now. The color shows we can write a file to the directory, with the file containing commands. Then running the script, we can hopefully get our flag
Items in the file are executed. Now if we can find flag03 we could execute it and pipe the data to a file viewing it all.
find . -type f -executable -printNothing. There is no flag03 program. Let’s make a simple script and see if we can have writable.sh write a file. Let’s echo abcd into a file.
OK, so now it looks like a crontab is running every few minutes, calling writable.sh. Writable.sh gets all the files in writable.d and executes them. Some how we need to become flag03 user and run getflag()?
So find our user and group id. Write a C program that executes /bin/bash.
Now we make a file as above that compiles our programs and compiles it to flag03 home directory. Running this should run as flag03. Then we call getflag. Will it work?
Level04: From here on out, the “simpler” levels, I will just provide the answer. You will only hurt yourself by cheating.
Problem: Read a file with a password using an application.
Level05: Weak perms.. Split across multiple screen shots.
