Tuesday, August 7, 2012

exploit-exercises walkthrough, nebula level00

exploit-exercises.com has some very cool wargame VMs, on which you can solve security related challenges. In this and the following blog posts, I'm going to walk you through solving all of the challenges, starting with nebula, protostar, and finally fusion.

I'm going to use VMware for running the provided VMs, but if you're comfortable with other virtualization software feel free to use them.
We start by downloading the nebula VM from http://exploit-exercises.com/download.
 VMware might give you a warning regarding some OVA format specifics, just hit "Retry" and you're good to go.

Instead of playing the wargames directly VMware, I like to ssh to the VM from the host. The ssh daemon is already set up on the VM, so you can freely use ssh, but you might want to add the VMs ip to the hosts file, so that you don't have to remember it. Log in as user nebula (password nebula) and get the ip using ifconfig as below:

Then you can add the ip to your hosts file and ssh to the VM.
(If you are using Windows as the host OS, you might want to use PuTTY as your SSH client).

$ echo " nebula" >> /etc/hosts
$ ssh level00@nebula
The authenticity of host 'nebula (' can't be established.
ECDSA key fingerprint is ea:8d:09:1d:f1:69:e6:1e:55:c7:ec:e9:76:a1:37:f0.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'nebula,' (ECDSA) to the list of known hosts.

      _   __     __          __
     / | / /__  / /_  __  __/ /___ _
    /  |/ / _ \/ __ \/ / / / / __ `/
   / /|  /  __/ /_/ / /_/ / / /_/ /
  /_/ |_/\___/_.___/\__,_/_/\__,_/


For level descriptions, please see the above URL.

To log in, use the username of "levelXX" and password "levelXX", where
XX is the level number.

Currently there are 20 levels (00 - 19).

level00@nebula's password:
Welcome to Ubuntu 11.10 (GNU/Linux 3.0.0-12-generic i686)

 * Documentation:  https://help.ubuntu.com/
New release '12.04 LTS' available.
Run 'do-release-upgrade' to upgrade to it.

Last login: Tue Aug  7 05:53:19 2012

Now that you are logged in, let's take a look at the level details: http://exploit-exercises.com/nebula/level00.
 The level requires you to find a SUID binary owned by flag00. Your goal is to impersonate user flag00. An SUID binary is basically a program that when ran, sets the effective UID (EUID) of the process to the owner UID of the binary, as opposed to the user executing the program. This is done for a variety of reasons and you can read more about it in UNIX books or on wikipedia. Generally it represents a security issue if the binary is vulnerable to some attack.

Looking manually for the binary would be tedious. Let's use "find" to find it for us. We want to scan the whole file system, so we will start searching from "/". If you're not familiar with "find", it's a good idea read (or skim through) the man page ("man find"). The binary is owned by user flag00, so we specify "-user flag00", and it has to have the SUID bit set, so we specify the permissions as "-perm -u=s". "2> /dev/null" is for ignoring errors.

level00@nebula:~$ find / -user flag00 -perm -u=s 2> /dev/null
Easy enough, now let's run it.
level00@nebula:~$ /bin/.../flag00
Congrats, now run getflag to get your flag!
flag00@nebula:~$ getflag
You have successfully executed getflag on a target account
w00t! We solved it! :)

~ Dmitry

No comments:

Post a Comment