Jason Turley's Website

Nebula Level00 Write Up

Nebula is a wargame from Exploit Exercises about exploiting privilege escalation vulnerabilities on Linux.

This is my write up for the first level.


This level requires you to find a Set User ID program that will run as the “flag00” account. You could also find this by carefully looking in top level directories in / for suspicious looking directories.

Alternatively, look at the find man page.

To access this level, log in as level00 with the password of level00.


The level description strongly suggests using the find command to locate the “flag00” binary.  So after logging into the server with ssh, I ran:

level00@nebula:~$ find / -iname "flag00" 2> /dev/null

Let’s break this down:

Not that we have a list of filenames that contain flag00, let’s examine them.

flag00@nebula:~$ ls -l /bin/.../flag00
rwsr-x--- 1 flag00 level00 7358 2011-11-20 21:22 /bin/.../flag00

This file is owned by the flag00 user and is the setuid bit is set! Execute it to raise escalate to flag00.

flag00@nebula:~$ /bin/.../flag00
Congrats, now run getflag to get your flag!
flag00@nebula:~$ getflag
You have successfully executed getflag on a target account