Skip navigation

In order to learn more about the above topic, I’ve been working my way through the Nebula challenge VM found here:

The VM comes packaged as a small linux installation with multiple accounts corresponding to levels. To progress from one level to the next, you need to find a way to exploit some program that runs with the permissions of the next user up, and steal their flag, although all levels are available from the beginning, I can only assume that they’re ordered by intended difficulty. On the off chance anyone actually reads this, I don’t want to include spoilers, but I do intend to document what I have learned.

1) Pay attention to environment variables

In two of the challenges so far, the solution was in the environment variables. In one, the privileged program was running a stock application, but by changing the PATH variable, it was possible to substitute your own booby trapped application for the legitimate one. You could then cause the privileged user to execute your own code.

Another challenge was more direct, calling system() on a string containing an environment variable. If that variable were, for example, to be set to “;/bin/bash;” … Needless to say, this all falls back to one of the golden rules: DON’T TRUST USER INPUT.

2) Pay attention to file/folder permissions

If you keep anything sensitive in your home folder or a subdirectory (*cough* ssh keys *cough*) you need to be pretty sure nobody who should not have access to that file actually does. If they can get your ssh keys, they have a much better shot at logging in as you. You ARE using a strong passphrase, yes?

In fact, none (so far) of these exploits would have been possible if other users’ home directories were off limits.


More thoughts to come as I progress further through the challenges.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: