Nebula Level 05

Level 05 instructions

About
Check the flag05 home directory. You are looking for weak directory permissions

To do this level, log in as the level05 account with the password level05. Files for this level can be found in /home/flag05.

Source code
There is no source code available for this level

Continue reading “Nebula Level 05”

Nebula Level 04

Level 04 instructions

About
This level requires you to read the token file, but the code restricts the files that can be read. Find a way to bypass it :)

To do this level, log in as the level04 account with the password level04. Files for this level can be found in /home/flag04.
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <stdio.h>
#include <fcntl.h>

int main(int argc, char **argv, char **envp)
{
  char buf[1024];
  int fd, rc;

  if(argc == 1) {
      printf("%s [file to read]\n", argv[0]);
      exit(EXIT_FAILURE);
  }

  if(strstr(argv[1], "token") != NULL) {
      printf("You may not access '%s'\n", argv[1]);
      exit(EXIT_FAILURE);
  }

  fd = open(argv[1], O_RDONLY);
  if(fd == -1) {
      err(EXIT_FAILURE, "Unable to open %s", argv[1]);
  }

  rc = read(fd, buf, sizeof(buf));
  
  if(rc == -1) {
      err(EXIT_FAILURE, "Unable to read fd %d", fd);
  }

  write(1, buf, rc);
}

Continue reading “Nebula Level 04”

x86 Stack Conventions

In an attempt to get a more solid understanding of assembly for reverse engineering and exploit development I started watching the OpenSecurity Introductory Intel x86: Architecture, Assembly, Applications, & Alliteration training videos found here. Day 1 Part 1 had a great explanation of how programs interact with the stack when functions are called. I just wanted to write up a summary here to solidify my understanding and have an easy reference for later.
Continue reading “x86 Stack Conventions”

Nebula Level 03

Level 03 instructions

About
Check the home directory of flag03 and take note of the files there.

There is a crontab that is called every couple of minutes.

To do this level, log in as the level03 account with the password level03. Files for this level can be found in /home/flag03.

Continue reading “Nebula Level 03”

Nebula Level 02

Level 02 instructions

About
There is a vulnerability in the below program that allows arbitrary programs to be executed, can you find it?

To do this level, log in as the level02 account with the password level02. Files for this level can be found in /home/flag02.
include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <stdio.h>

int main(int argc, char **argv, char **envp)
{
  char *buffer;

  gid_t gid;
  uid_t uid;

  gid = getegid();
  uid = geteuid();

  setresgid(gid, gid, gid);
  setresuid(uid, uid, uid);

  buffer = NULL;

  asprintf(&buffer, "/bin/echo %s is cool", getenv("USER"));
  printf("about to call system(\"%s\")\n", buffer);
  
  system(buffer);
}

Continue reading “Nebula Level 02”

Nebula Level 01

Level 01 instructions

About
There is a vulnerability in the below program that allows arbitrary programs to be executed, can you find it?

To do this level, log in as the level01 account with the password level01. Files for this level can be found in /home/flag01.
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <stdio.h>

int main(int argc, char **argv, char **envp)
{
  gid_t gid;
  uid_t uid;
  gid = getegid();
  uid = geteuid();

  setresgid(gid, gid, gid);
  setresuid(uid, uid, uid);

  system("/usr/bin/env echo and now what?");
}

Continue reading “Nebula Level 01”

Nebula Level 00

I’m going to start with the Nebula live CD from exploit-exercises.com.  These challenges have been around for a while so I’m sure there are a million write-ups on how to complete them.  I haven’t read any of them and I’ve never attempted the challenges before so I am going in blind.

Continue reading “Nebula Level 00”

Where to begin…

I am going to start out by diving into reverse engineering and memory corruption exploits.  I have done some work with Intel x86 assembly in the past especially when working through my Offensive Security certifications.  However my experience has 90% been in 32 bit Windows exploit development with Olly Debug and other similar tools.  I want to focus more on Linux tools and reverse engineering type challenges.  My plan is to start with some of the challenges on exploit-exercises.com while studying gdb, radare, and ida.  I am also starting this book Practical Reverse Engineering.  I expect a lot of the books topics to be over my head at first and I’ll need to branch off to brush up on different topics.

As I complete challenges and learn new tools I’ll be posting walkthroughs and notes here for reference.  I may also take breaks from the assembly topics so I can complete vulnhub.com challenges for fun.