Mike-Boya

Information Security and Programming Blog

Exploit Exercises - Nebula Level00

After completing some of my certifications, I decided to get back to some of the challenges and coding practice. My good friend Kristian suggested the war games over at Exploit Exercises. Starting with Nebula, I will outline some walkthroughs of my solutions to the levels (00-19). I will split each level into a separate post in order to not spoil any of the challenges for someone just looking for a hint on a single level.

Level00 requires you to locate a Set User ID program that will run as the “flag00” account. The “About” section hints at checking out the man page for the find command.

I am very familiar with the find command from my SysAdmin tasks at work, so a quick one-liner should do the trick. The command below will search the entire filesystem for any file with SUID permissions owned by the flag00 user. The last part of the command 2>/dev/null sends standard error to /dev/null to avoid flooding the screen with permission denied messages.

level00@nebula:~$ find / -perm -4000 -user flag00 2>/dev/null
/bin/.../flag00

The output identifies the SUID program in a “hidden” directory that meets the find commands specifications. I refer to the directory as “hidden” because if you were to run the ls command in that directory (with no additional flags), the directory would not show up in the output.

Lets run the SetUID program:

level00@nebula:~$ /bin/.../flag00
Congrats, now run getflag to get your flag!
flag00@nebula:~$ getflag
You have successfully executed getflag on a target account
flag00@nebula:~$ id
uid=999(flag00) gid=1001(level00) groups=999(flag00),1001(level00)

Success! Running the SetUID program escalated us to the flag00 user.

This first level seems simple but is teaching a very important concept in linux security. SetUID is a special type of file permissions given to a file. When a program has the SUID bit set (-rwsr-x---), it runs as the owner of the file instead of inheriting the permissions of the logged in user. There are some programs on a Linux/Unix system that require this capability (ping and passwd). These programs need root permissions in order to perform specific tasks and alter specific files on the system. System Administrators should be very careful when setting setuid and setguid because improper use of these access modes can lead to compromise of the system.

Mike