Hints for nebula exploit exercises

I would assume that if you're already here looking for this you probably already know about exploit exercises. But if not, go check out the site and specifically the nebula exercise that corresponds to this page.

level00

look at the setuid man page to learn more about it what it does.

Find out how to locate files/executables with a setuid bit

$ find / -perm /u=s -user flag00

work your magic...

level01

know about how linux finds executables and symbolic links

recognize that the program has a vulnerability in the way it envokes echo. use the knowledge from the first step to exploit this knowledge

level02

For this level we can see that the programmer is wise to us changing the bin directory but that they are still pulling in a username which we control...

level03

As it says crontab runs every few minutes; from checking the script in flag03's home directory we can see what's happening just find a way to exploit it

I choose to just create a simple shell script:

[redacted]

but I'm thinking another interesting thing would be to create a setuid program and have the cron update everything so we having lasting permissions as flag03

level04

In this level again, a knowledge of symbolic links is key

level05

This level requires some knowledge of unix file permissions so you can snoop around for juicy looking files. Finally an understanding of how the SSH encryption and connection process works [1]

  1. understanding the ssh encryption and connection process (digitalocean tut)

level06

As said in the description a knowledge of how unix systems stored passwords; once that part is figured out. John the ripper can help with the rest.

level07

To start cd to the flag07 directory and have a look at the files, from there it's possible to find enough information to get started. Now all that's left is to find a way to inject getflag.

Bonus hint:

Make sure to properly URL encode

level08

those pesky file permissions again, just poke around in flag08's home directory to see what juicy files we can get our eyes on.

Bonus hint:

WireShark Analyze > follow > tcp

level09

very interesting, after trying the usual exploits i stumbled across the possibility of doing something like this:

which works! However, after all that time I spent figuring that out it turns out 'flag09 -a' gives you the interactive command line as the flag09 user! Trivial from there...so simple yet for me; so hard to find

level10

interesting, trying various things to solve this one and then... in my home directory there's a file called x. I go ahead and take a look in there and low and behold it seems to be a token. It worked to sign into flag10 but that's not how it was supposed to go...

I'll have to work on finding the real way of exploiting this one

That's all

That's as far as I had time to get so far. I hope that you found these hints helpful without spoiling the fun.

Anything else let me know in the comments below.




Tutorial created by 0x6f0