Heatmiser WiFi thermostat vulnerabilities

Update – if your heating is misbehaving you need to disable port forwarding to port 80 and port 8068. This should be simply following the reverse of whatever you did to set port forwarding up. Alternatively, you could disable WiFi entirely by putting invalid SSID and password in – I believe the thermostats should continue […]

Nebula exploit exercises walkthrough – level12

There is a backdoor process listening on port 50001.

My experience with Lua is minimal at best, but it’s pretty obvious that the hash() function calls a shell command, and allows for command injection. To run getflag is very simple:

And if you want to pass the check for the hash for fun, […]

Nebula exploit exercises walkthrough – level11

The /home/flag11/flag11 binary processes standard input and executes a shell command. There are two ways of completing this level, you may wish to do both

Now it gets interesting. This is the first bit of code where it isn’t obvious what the intent is from a quick glance. I think I have found three […]

Nebula exploit exercises walkthrough – level10

The setuid binary at /home/flag10/flag10 binary will upload any file given, as long as it meets the requirements of the access() system call.

I think I can already see the problem. Firstly, we can see that the token file we need to read out is permissioned such that level10 cannot see it:

On […]

Nebula exploit exercises walkthrough – level09

There’s a C setuid wrapper for some vulnerable PHP code…

I’m no PHP expert – this one took me a long time. There are two functions that look dubious there – file_get_contents and preg_replace. Let’s see what it is meant to do. It looks like it reads the file provided as the first argument […]

Nebula exploit exercises walkthrough – level08

World readable files strike again. Check what that user was up to, and use it to log into flag08 account.

A readable pcap file in the flag08 home directory. This is a network capture, so might have some interesting traffic. Now… we can read this on the terminal using tcpdump:

Even when it […]

Nebula exploit exercises walkthrough – level07

The flag07 user was writing their very first perl program that allowed them to ping hosts to see if they were reachable from the web server. The code of the CGI script is provided (and can be viewed in /home/flag07):

“); } # check if Host set. if not, display normal page, etc ping(param(“Host”)); Immediately […]

iSmartAlarm – quick “teardown”

I noticed this post on the alarm forum at DIYnot. It mentions the iSmartAlarm – an alarm I’ve heard nothing about before. Smart tends to mean “connected to the Internet” which tends to mean “massive attack surface”, so I though I would have a quick look at the system and what is inside it. The […]