Tuesday, August 7, 2012

exploit-exercises walkthrough, nebula level00

exploit-exercises.com has some very cool wargame VMs, on which you can solve security related challenges. In this and the following blog posts, I'm going to walk you through solving all of the challenges, starting with nebula, protostar, and finally fusion.

I'm going to use VMware for running the provided VMs, but if you're comfortable with other virtualization software feel free to use them.
We start by downloading the nebula VM from http://exploit-exercises.com/download.
 VMware might give you a warning regarding some OVA format specifics, just hit "Retry" and you're good to go.

Instead of playing the wargames directly VMware, I like to ssh to the VM from the host. The ssh daemon is already set up on the VM, so you can freely use ssh, but you might want to add the VMs ip to the hosts file, so that you don't have to remember it. Log in as user nebula (password nebula) and get the ip using ifconfig as below:


Then you can add the ip to your hosts file and ssh to the VM.
(If you are using Windows as the host OS, you might want to use PuTTY as your SSH client).

$ echo "192.168.1.59 nebula" >> /etc/hosts
$ ssh level00@nebula
The authenticity of host 'nebula (192.168.1.59)' can't be established.
ECDSA key fingerprint is ea:8d:09:1d:f1:69:e6:1e:55:c7:ec:e9:76:a1:37:f0.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'nebula,192.168.1.59' (ECDSA) to the list of known hosts.

      _   __     __          __
     / | / /__  / /_  __  __/ /___ _
    /  |/ / _ \/ __ \/ / / / / __ `/
   / /|  /  __/ /_/ / /_/ / / /_/ /
  /_/ |_/\___/_.___/\__,_/_/\__,_/

    exploit-exercises.com/nebula


For level descriptions, please see the above URL.

To log in, use the username of "levelXX" and password "levelXX", where
XX is the level number.

Currently there are 20 levels (00 - 19).


level00@nebula's password:
Welcome to Ubuntu 11.10 (GNU/Linux 3.0.0-12-generic i686)

 * Documentation:  https://help.ubuntu.com/
New release '12.04 LTS' available.
Run 'do-release-upgrade' to upgrade to it.

Last login: Tue Aug  7 05:53:19 2012
level00@nebula:~$

Now that you are logged in, let's take a look at the level details: http://exploit-exercises.com/nebula/level00.
 The level requires you to find a SUID binary owned by flag00. Your goal is to impersonate user flag00. An SUID binary is basically a program that when ran, sets the effective UID (EUID) of the process to the owner UID of the binary, as opposed to the user executing the program. This is done for a variety of reasons and you can read more about it in UNIX books or on wikipedia. Generally it represents a security issue if the binary is vulnerable to some attack.

Looking manually for the binary would be tedious. Let's use "find" to find it for us. We want to scan the whole file system, so we will start searching from "/". If you're not familiar with "find", it's a good idea read (or skim through) the man page ("man find"). The binary is owned by user flag00, so we specify "-user flag00", and it has to have the SUID bit set, so we specify the permissions as "-perm -u=s". "2> /dev/null" is for ignoring errors.

level00@nebula:~$ find / -user flag00 -perm -u=s 2> /dev/null
/bin/.../flag00
Easy enough, now let's run it.
level00@nebula:~$ /bin/.../flag00
Congrats, now run getflag to get your flag!
flag00@nebula:~$ getflag
You have successfully executed getflag on a target account
w00t! We solved it! :)

~ Dmitry

4 comments:

  1. I GOT HELP!
    Hello, to tell you the real truth, there are only a few hackers out there who know the dynamics about hacking, only a few of them are experienced and know how to hack anything. I have been very lucky to come across one of them whom I would describe as pretty good and very honest. He’ll do any of your hacking jobs ranging from phone hacks to social media hacks. Contact him through his Email Cryptocyberhacker@gmail.com make sure to let him know you got his contact here

    ReplyDelete
  2. Honestly I find it so hard trusting men. just in 2 years I went through 3 relationships and non worked out well cause I always caught them cheating on me and it really hurts, I was able to find out about all of this with the help of a Pro hacker now I can always stay clear of such lies and move on with my life. I also read about him from this website and he delivered to me well. Thanks buddy…. MY ADVICE TO WOMEN WHO THERE SPOUSE CHEATS ON THEM IS” STOP CRYING JUST CONTACT: internetwebport737 at gmail dot com
    Or Text +17853259842

    ReplyDelete
  3. CREDIBLE ETHICAL H A C K E R RECOMMENDATION - QUADHACKED @ G MAIL . COM

    i’ll recommend this for anyone in a distant relationship most especially . the kind of job i do Makes me stay far away from home in remote countries drilling and mining . Any time i’m away, i’m always curious on what my spouse was up to. some one recommended to me Q U A D H A C K E D @ G M A I L . C O M . and spoke so high of him. i decided to give him a try, . he helped me clone my spouse phone and tap into my spouse whatsapp and e m ails. i was shook with all that was revealed to me in a a very short while, even deleted messages from over 7 months ago, i promise to testify if he helped me which he did .ever since ,he has helped me on other jobs i’ll keep off here. reach out to him today and thank me later.
    Reach out to him for hack services ranging from
    EMAIL ACCOUNT HACK
    PHONE SPY/ PHONE TAP/PHONE CLONING
    WHATSAPP HACK
    FACEBBOOK MESSENGER HACK AND OTHER SOCIAL MEDIA.

    ReplyDelete
  4. I know a professional Chinese hacker who has worked for me once this month. He offers legit services such as clearing of bad records online without being traced back to you, He clone phones, hack Facebook account, instagram, WhatsApp, emails, Twitter, bank accounts, Skype, FIXES CREDIT REPORTs, track calls. He also help retrieve accounts and lost BTC that have been taking by hackers or scammers. His charges are affordable, reliable and 100% safe. For his job well done this is my own way to show appreciation, Contact him via address below...
    Email Roy.wu@soundmax-hk.com
    Whatsapp: +8618664665106

    ReplyDelete