Nebula – Level07

Its been a long time since I played Nebula. So yesterday, I thought to resume my exploit exercises. In this level, there are two files in the /home/flag07 directory.

level07@nebula:/home/flag07$ ls -al
total 28
drwxr-x---  2 flag07 level07 4096 2011-11-20 20:39 .
drwxr-xr-x 43 root   root    4096 2011-11-20 20:21 ..
-rw-r--r--  1 flag07 flag07   220 2011-05-18 02:54 .bash_logout
-rw-r--r--  1 flag07 flag07  3353 2011-05-18 02:54 .bashrc
-rwxr-xr-x  1 root   root     368 2011-11-20 21:22 index.cgi
-rw-r--r--  1 flag07 flag07   675 2011-05-18 02:54 .profile
-rw-r--r--  1 root   root    3719 2011-11-20 21:22 thttpd.conf

I opened up the index.cgi and thttp.conf files:


use CGI qw{param};
print "Content-type: text/html\n\n";
sub ping {
   $host = $_[0];
   print("<html><head><title>Ping results</title></head><body><pre>");
   @output = `ping -c 3 $host 2>&1`;
   foreach $line (@output) { print "$line"; }
# check if Host set. if not, display normal page, etc
# This file is for thttpd processes created by /etc/init.d/thttpd.
# Commentary is based closely on the thttpd(8) 2.25b manpage, by Jef Poskanzer.

# Specifies an alternate port number to listen on.

# Specifies a directory to chdir() to at startup. This is merely a convenience -
# you could just as easily do a cd in the shell script that invokes the program.

# Do a chroot() at initialization time, restricting file access to the program's
# current directory. If chroot is the compiled-in default (not the case on
# Debian), then nochroot disables it. See thttpd(8) for details.

# Specifies a directory to chdir() to after chrooting. If you're not chrooting,
# you might as well do a single chdir() with the dir option. If you are
# chrooting, this lets you put the web files in a subdirectory of the chroot
# tree, instead of in the top level mixed in with the chroot files.

# Don't do explicit symbolic link checking. Normally, thttpd explicitly expands
# any symbolic links in filenames, to check that the resulting path stays within
# the original document tree. If you want to turn off this check and save some
# CPU time, you can use the nosymlinks option, however this is not
# recommended. Note, though, that if you are using the chroot option, the
# symlink checking is unnecessary and is turned off, so the safe way to save
# those CPU cycles is to use chroot.

# Do el-cheapo virtual hosting. If vhost is the compiled-in default (not the
# case on Debian), then novhost disables it. See thttpd(8) for details.

# Use a global passwd file. This means that every file in the entire document
# tree is protected by the single .htpasswd file at the top of the tree.
# Otherwise the semantics of the .htpasswd file are the same. If this option is
# set but there is no .htpasswd file in the top-level directory, then thttpd
# proceeds as if the option was not set - first looking for a local .htpasswd
# file, and if that doesn't exist either then serving the file without any
# password. If globalpasswd is the compiled-in default (not the case on Debian),
# then noglobalpasswd disables it.

# Specifies what user to switch to after initialization when started as root.

# Specifies a wildcard pattern for CGI programs, for instance "**.cgi" or
# "/cgi-bin/*". See thttpd(8) for details.

# Specifies a file of throttle settings. See thttpd(8) for details.

# Specifies a hostname to bind to, for multihoming. The default is to bind to
# all hostnames supported on the local machine. See thttpd(8) for details.

# Specifies a file for logging. If no logfile option is specified, thttpd logs
# via syslog(). If logfile=/dev/null is specified, thttpd doesn't log at all.

# Specifies a file to write the process-id to. If no file is specified, no
# process-id is written. You can use this file to send signals to thttpd. See
# thttpd(8) for details.

# Specifies the character set to use with text MIME types.

# Specifies a P3P server privacy header to be returned with all responses. See
# for details. Thttpd doesn't do anything at all with the
# string except put it in the P3P: response header.

# Specifies the number of seconds to be used in a "Cache-Control: max-age"
# header to be returned with all responses. An equivalent "Expires" header is
# also generated. The default is no Cache-Control or Expires headers, which is
# just fine for most sites.

I realized that its a cgi perl script and it can be only run using a web browser. The index.cgi script requires a parameter named “Host” and an IP, in-order to pass it as an argument to the ping command. I opened the browser and typed this URL ( is the IP that I’ve assigned to Nebula’s box, 7007 is the port number given in the config file)

If you have noticed the index.cgi file, it allows you to execute multiple commands given as a parameter to the URL ( So I tried with command Host=localhost&&ping -c as a parameter to the URL. But I got this output (it didn’t work :-/)

When I noticed , it is doing URL encoding on any special characters (like space and ‘&’ and not in ‘=’) which I is passed  as parameter to the URL. So I opened up an URL encoder-decoder website and encoded &&ping -c to get something like this %26%26ping%20-c%203%2010.30.8.105. And it worked!!

Now I am able to run multiple commands through the browser with the permissions of flag07 user. So I ran “id” and “getflag” along with this and completed this level.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s