From Untrained to Novice to Intermediate

My brother took me to the gym for the very first time in the summer of 2014. Ed had been lifting for a few months already to prepare for his ROTP admission. As for myself, “hitting the gym” was an activity that seemed so distant from my lifestyle at the time that it had never even crossed my mind. Thanks to gender dysphoria and bulimia weighing me down hand in hand by my side, I was able to find my rock bottom very quickly.
Continue Reading ...


Exploit Exercises Nebula level10

The setuid binary at /home/flag10/flag10 binary will upload any file given, as long as it meets the requirements of the access() system call. To do this level, log in as the level10 account with the password level10. Files for this level can be found in /home/flag10. basic.c #include <stdlib.h> #include <unistd.h> #include <sys/types.h> #include <stdio.h> #include <fcntl.h> #include <errno.h> #include <sys/socket.h> #include <netinet/in.h> #include <string.h> int main(int argc, char **argv) { char *file; char *host; if(argc < 3) { printf("%s file host\n\tsends file to host if you have access to it\n", argv[0]); exit(1); } file = argv[1]; host = argv[2]; if(access(argv[1], R_OK) == 0) { int fd; int ffd; int rc; struct sockaddr_in sin; char buffer[4096]; printf("Connecting to %s:18211 .
Continue Reading ...


Exploit-Exercises Nebula level09

There’s a C setuid wrapper for some vulnerable PHP code… To do this level, log in as the level09 account with the password level09. Files for this level can be found in /home/flag09. level09.php <?php function spam($email) { $email = preg_replace("/\./", " dot ", $email); $email = preg_replace("/@/", " AT ", $email); return $email; } function markup($filename, $use_me) { $contents = file_get_contents($filename); $contents = preg_replace("/(\[email (.*)\])/e", "spam(\"\\2\")", $contents); $contents = preg_replace("/\[/", "<", $contents); $contents = preg_replace("/\]/", ">", $contents); return $contents; } $output = markup($argv[1], $argv[2]); print $output; ?
Continue Reading ...


Exploit-Exercises Nebula level08

World readable files strike again. Check what that user was up to, and use it to log into flag08 account. To do this level, log in as the level08 account with the password level08. Files for this level can be found in /home/flag08. Pcap (Packet Capture) file holds the network activity history. Using the tcpflow command, we will read the pcap file with -r option and output the result to console with -c option.
Continue Reading ...


Exploit-Exercises Nebula level07

The flag07 user was writing their very first perl program that allowed them to ping hosts to see if they were reachable from the web server. To do this level, log in as the level07 account with the password level07. Files for this level can be found in /home/flag07. index.cgi #!/usr/bin/perl use CGI qw{param}; print "Content-type: text/html\n\n"; sub ping { $host = $_[0]; print("<html><head><title>Ping results</title></head><body><pre>"); @output = `ping -c 3 $host 2>&1`; foreach $line (@output) { print "$line"; } print("</pre></body></html>"); } # check if Host set.
Continue Reading ...


Exploit-Exercises Nebula level06

The flag06 account credentials came from a legacy unix system. To do this level, log in as the level06 account with the password level06. Files for this level can be found in /home/flag06. The hint is in the fact that flag06 account credentials came from a legacy unix system. Traditionally the encrypted passwords were stored under /etc/passwd which can be read by everyone. Nowadays, the password section of that file would be displayed with plain “x”.
Continue Reading ...


Exploit-Exercises Nebula level05

Check the flag05 home directory. You are looking for weak directory permissions To do this level, log in as the level05 account with the password level05. Files for this level can be found in /home/flag05. Exploiting the weak directory permissions on .backup files of flag05 user, we can ssh using the identity file id_rsa found in the .ssh folder.

Exploit-Exercises Nebula level04

This level requires you to read the token file, but the code restricts the files that can be read. Find a way to bypass it :) To do this level, log in as the level04 account with the password level04. Files for this level can be found in /home/flag04. level4.c #include <stdlib.h> #include <unistd.h> #include <string.h> #include <sys/types.h> #include <stdio.h> #include <fcntl.h> int main(int argc, char **argv, char **envp) { char buf[1024]; int fd, rc; if(argc == 1) { printf("%s [file to read]\n", argv[0]); exit(EXIT_FAILURE); } if(strstr(argv[1], "token") !
Continue Reading ...


Exploit-Exercises Nebula level03

Check the home directory of flag03 and take note of the files there. There is a crontab that is called every couple of minutes. To do this level, log in as the level03 account with the password level03. Files for this level can be found in /home/flag03. In the /home/flag03 directory, we can find one shell script and a sub directory. The script simply deletes every item in the /home/flag03/writable.
Continue Reading ...


Exploit-Exercises Nebula level02

There is a vulnerability in the below program that allows arbitrary programs to be executed, can you find it? To do this level, log in as the level02 account with the password level02. Files for this level can be found in /home/flag02. level2.c #include <stdlib.h> #include <unistd.h> #include <string.h> #include <sys/types.h> #include <stdio.h> int main(int argc, char **argv, char **envp) { char *buffer; gid_t gid; uid_t uid; gid = getegid(); uid = geteuid(); setresgid(gid, gid, gid); setresuid(uid, uid, uid); buffer = NULL; asprintf(&buffer, "/bin/echo %s is cool", getenv("USER")); printf("about to call system(\"%s\")\n", buffer); system(buffer); } Simply hijack USER with your system call.
Continue Reading ...


Exploit-Exercises Nebula level01

There is a vulnerability in the below program that allows arbitrary programs to be executed, can you find it? To do this level, log in as the level01 account with the password level01. Files for this level can be found in /home/flag01. level1.c #include <stdlib.h> #include <unistd.h> #include <string.h> #include <sys/types.h> #include <stdio.h> int main(int argc, char **argv, char **envp) { gid_t gid; uid_t uid; gid = getegid(); uid = geteuid(); setresgid(gid, gid, gid); setresuid(uid, uid, uid); system("/usr/bin/env echo and now what?
Continue Reading ...


Exploit-Exercises Nebula level00

This level requires you to find a Set User ID program that will run as the “flag00” account. You could also find this by carefully looking in top level directories in / for suspicious looking directories. Alternatively, look at the find man page. To access this level, log in as level00 with the password of level00. Key to solving this level is understanding the concept of SUID and GUID.
Continue Reading ...


Exploit-Exercises Setup

Download iso Install virtualization software Boot image file

Log

July 16 2017 4 km run July 15 2017 Pull Ups : 8 sets BB Rows : 5 sets Lat Pulldown : 5 sets Cable Rows : 5 sets DB Rear Delt Raises : 3 sets July 13 2017 Bench Press : 6 sets Dips : 4 sets Hanging Leg Raises : 3 sets BB Overhead Press : 3 sets BB Behind Neck Press : 3 sets BB Front Raises : 3 sets BB Upright Rows : 3 sets July 12 2017 Pull Ups : 4 sets Chin Ups : 4 sets German Hang : 4 sets Lat Pulldown : 5 sets Cable Rows : 5 sets July 10 2017 Pull Ups : 4 sets Chin Ups : 4 sets German Hang : 4 sets Lat Pulldown : 5 sets Cable Rows : 5 sets July 9 2017 Dips : 4 sets L Sits : 4 sets DB Overhead Press : 30 5 sets Handstand Push Ups : 4 sets July 8 2017 Box Jumps : 4 sets Pull Ups : 5 sets Hanging Leg Raises : 5 sets BB Rows : 5 sets Chin Ups : 2 sets July 7 2017 Bench Press : 95 1 x 5 115 1 x 5 125 1 x 5 130 1 x 4 125 1 x 4 115 1 x 6 Dips : 4 sets L Sits : 3 sets Hanging Leg Raises : 3 sets DB Incline Press : 35 5 sets DB Side Lateral Raises : 10 4 sets July 6 2017 6 km run July 5 2017 Pull Ups : 2 sets Chin Ups : 2 sets DB Shoulder Press : 5 sets Cable Rows : 4 sets Hanging Leg Raises : 3 sets Machine Chest Press : 3 sets DB Side Lateral Raises : 4 sets July 4 2017 Bench Press : 95 1 x 5 115 1 x 5 135 1 x 3 140 1 x 2 145 1 x 1 115 1 x 7 DB Incline Press : 35 5 sets Dips : 4 sets Tricep Pushdown : 4 sets 5 km run Pull Ups : 3 setspyt Chin Ups : 3 sets German Hang : 4 sets L Sits : 4 sets June 28 2017 Pull Ups : 4 sets Chin Ups : 2 sets Cable Rows : 5 sets Assisted Pull Ups : 4 sets BB Rows : 65 5 sets BB Curls : 3 sets DB Curls : 2 sets Face Pulls : 3 sets L Sits : 3 sets June 27 2017 DB Press : 5 sets DB Overhead Press : 5 sets Dips : 4 sets Push Ups : 3 sets Tricep Pushdown : 4 sets French Press : 4 sets June 27 2017 Pull Ups : 4 sets Lat Pulldown : 5 sets Cable Rows : 5 sets BB Curls : 4 sets June 25 2017 Bench Press : 95 1 x 5 115 1 x 5 125 5 x 5 DB Incline Press : 35 1 x 6 45 4 x 6 Cable Fly : 12.
Continue Reading ...


About

Hello World, I ❤️ calisthenics. That’s about it for now. Leo ✌️