Nebula - Exploit Excercises
NOTE:
- Nebula is an Ubuntu based linux operating system.
- Nebula is a vulnerable system in which the filesystem has been altered to make it vulnerable to exploits.
- These vulnerabilities make it possible to teach proof of concept on the criteria of how to leverage program and system vulnerabilities.
- The overall goal is to teach on secure programming as well as understanding file permissions, authentication and authorization.
Blog Abstact
- In this blog post you will learn about
2. How to convert a bash script to an executable
3. How to create bash scripts for running docker images.
4. A brief on linux file permissions with a focus on the Set Owner ID (SUID bit) and how it can be used to compromise authentication and authorization.
5. Finally you'll learn the best practices to use in order to find and patch such security loopholes in your *nix system.
Uelekezo Bookmarks
Jump to Logins
Jump to Problem Description
Jump to Hints
Jump to Solution
Nebula Level00 Logins
username: level00
password: level00
Working directory = /home/flag00
Nebula Level00 Problem Description
This trial, is more of hide and seek. You are expected to find mischievous directories within the root of the linux file system ( beginning from the forward slash '/').
Once you find the hidden path, proceed to locate and execute the file that has the binary flag (+s) set.
Nebula Level00 Hint
There exists 2 such binary files
Binary executable file to search for is called flag00 and is owned by the user flag00.
To locate files with the SUID bit set use the following:
find / -type f -perm /4000 2>/dev/null
the -type of item to search for it could be "f" for file or "d" for directory.
In this case we are searching for a file thus the use of 'f'.
the '2' is used to filter out the permission denied errors when scanning for files these are what is known as std out errors.
File permissions Cheat Sheet:
ABCDA - sums to 6 with 4 being the suid bit and 2 being the sticky bit6000 - has both the suid and sticky bit set4000 - has the suid bit set2000 - has the sticky bit setB {owner}- sums to 7 with 4 being read, 3 being write and 1 being the execute bit0700 - owner has read write and execute permissions0400 - owner has only read permission0300 - owner has only write permission0500 - owner has write and execute permissions.C {owner's group}- sums to 7 with 4 being read, 3 being write and 1 being the execute bitD {other system users }- sums to 7 with 4 being read, 3 being write and 1 being the execute bit
Nebula Level00 Concepts to Understand
Nebula SUID permissions
SUID - stands for set user id.
SUID bit allows a script [on solaris systems] or a binary executable to gain temporary elevated privileges in the lifetime of its execution.
How to install docker
Example: After installing docker, the hitch that you'll first experience is in the inability to execute docker images since they require sudo or root permissions. Sample command calls are the following:
docker run hello-world
You are faced with the following error:
docker: Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Post http://%2Fvar%2Frun%2Fdocker.sock/v1.35/containers/create: dial unix /var/run/docker.sock: connect: permission denied. See 'docker run --help'.
The sample below shows a demo of the docker daemon socket permission denied error. The following demo show a call to a script that will convert an asciinema recording to a gif file that enables for display on web pages.
How to fix docker: Got permission denied issue
All the above is a sample scenario where we can apply Linux SUID permissions.
This is because of the following set conditions:
- You must either be within the docker group or run the docker object as sudo or root user.
This example is where it perfectly suits to set the SUID bit. This is because the current user must invoke a docker image as being the sudo or root user, else they are met with a "permission denied" during execution.
But before we get so far ahead of ourselves there are a few things to NOTE:
- Most linux systems including ubuntu totally ignore the SUID bit within shell scripts therefore we must convert our scripts to executables.
- To be able to set SUID bit we'll have to generete a binary file from our bash script using shc or we might as well write a c program that supports setting of the SUID bit. The latter is what's you'll discover is more prominent on Nebula Levels.
To understand more on file permissions check out this video on youtube
Setting the SUID bit allows a script or a binary execute to gain temporary elevated privileges in the lifetime of its execution.
Setting a script to execute the hello-world docker file would be the perfect candidate to show case how we can utilize the SUID bit.
For this we will create the shell script that will execute our hello-world docker image. Furthermore, we will set the SUID to that of the root user so that we are not met with the permission denied error.
Steps:
Download compile and install shc
Write our script
Nebula Level00 Solution
level00@nebula$ find -perm /4000 2>/dev/null
level00@nebula$ bash /bin/.../flag00
level00@nebula$ getflag
Nebula Level00 Mitigation and Lessons
In most cases when systems have been compromised. The command and control centers that are managed by aggressors hides startup malware in hidden directories. In the linux file system all directories that are preceded by a period (.) are hidden.
They are hidden in the sense that they can't easily be listed by file managers unless you enable "Show hidden file extensions ".
On *nix systems some covert directory naming conventions you might find are the following:
user@ubuntu$ mkdir "..."
The "..." is a valid directory name and on creation the command below returns an exit status of successful.
"." - is invalid because the operating system identifies it as the current working directory.
".." - is also invalid as *nix systems identify it as a directory just above the current working directory.
No comments:
Post a Comment