Information gathering is the first and the most important step of a penetration test. More informations you will grab, easier the exploit will be.

Developed by Christian Martorella theHarvester is very usefull for this task. It’s a python script that will help you to find user emails and subdomains of a given domain by merely parsing search engines results. The following data sources are supported :

  • bing,
  • google, googleCSE, googleplus, google-profiles
  • jigsaw
  • linkedin
  • people123
  • pgp
  • shodan
  • twitter

theHarvester is by default installed on Kali Linux. Basic usage is: theharvester -d <domain> -b <source>

...

Check the home directory of flag03 and take note of the files there. There is a crontab that is called every couple of minutes. Files for this level can be found in /home/flag03.

First, let’s check the home directory of our target flag03:

Exploit Exercises Nebula Level03

Ok we have an empty directory with full access and a shell script who looks like this:

#!/bin/sh
for i in /home/flag03/writable.d/* ; do
  (ulimit -t 5; bash -x "$i")
  rm -f "$i"
done
...

According to OWASP Top 10, Cross-Site Scripting aka XSS takes the 3rd place in the more common and important web vulnerabilities list. Her primary goal is to spoof the session of another user by stealing his cookie id, usually a privileged user like an admin.  You can train XSS in Damn Vulnerable Web Application, here are some tests you can perform.

Low

<?php
if( !array_key_exists ("name", $_GET) || $_GET['name'] == NULL || $_GET['name'] == '' ) {  
  $isempty = true;  
} else {  
  $html .= '<pre>';  
  $html .= 'Hello ' . $_GET['name'];  
  $html .= '</pre>';  
}
?>

This code output the name parameter without any filter so it’s very vulnerable to XSS!

...

There is a lot of browser extensions developed by the community, here are my favorites.

Firefox

All of this following extensions can be found in the HackerFox suite.

  • Calomel SSL Validation : validate the grade of security of the SSL connection. The button will change color depending on the strength of encryption.
  • Firebug :  Firebug is the best addon ever. Used by web developers to can edit, debug, and monitor CSS, HTML, and JavaScript live in any web page.
  • HackBar : perfect to test SQL injections. Easy to use and some options like encoding (base64, url, hex), encryption (md5, sha-256, rot13). You can also alter POST data and your referer.
  • HttpFox : display informations about the query : headers, cookies, POST data, time and so on…
...

There is a vulnerability in the below program that allows arbitrary programs to be executed, can you find it? Files for this level can be found in /home/flag02.

#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <stdio.h>

int main(int argc, char **argv, char **envp)
{
  char *buffer;
  
  gid_t gid;
  uid_t uid;
  
  gid = getegid();
  uid = geteuid();
  
  setresgid(gid, gid, gid);
  setresuid(uid, uid, uid);
  
  buffer = NULL;
  
  asprintf(&buffer, "/bin/echo %s is cool", getenv("USER"));
  printf("about to call system(\"%s\")\n", buffer);
  
  system(buffer);
}

As the previous level, we here have a suid executable, owned by our target flag02, who uses an environment variable USER to print a super cool message.

...