Nebula 00

Exploit Exercises Write-Up

Posted on June 5, 2017 as Exploit Exercises. 2 minutes read.

Introduction

Finally, exams are over so it's time to get back to security topics. Today I'm going to start documenting journey through Nebula machine from Exploit Exercises.

Nebula covers a variety of simple and intermediate challenges that cover Linux privilege escalation, common scripting language issues, and file system race conditions.
Nebula is an ideal place to get started for people new to Linux exploitation.

It would be great to have this quick reminder, so let's try it out!

Challenge

About

This level requires you to find a Set User ID program that will run as the “flag00” account. You could also find this by carefully looking in top level directories in / for suspicious looking directories.

Alternatively, look at the find man page.

To access this level, log in as level00 with the password of level00.

Solution

Common thing in CTFs and other hacking challenges is to find executable file, with suid bit set. Of course we want the faster way so let's use the find command. But firstly, what is suid bit?

It's an information, that an executable is being run with the permissions of the owner, not the person running it. For example, we have root user that creates a script changing some files and want to share it with other users on the system. By adding the suid bit - it's possible. Now let's find these.

[email protected]:~$ find / -perm /u=s -user flag00 2>/dev/null
/bin/.../flag00
/rofs/bin/.../flag00
[email protected]:~$ ls -l /bin/.../
total 8
-rwsr-x--- 1 flag00 level00 7358 2011-11-20 21:22 flag00

Great, we've found it! Looking at permissions we know it's an suid. We can also break down the find command to better understand it.

  • / - start at the top of directory
  • -perm /u=s - find all SUID set files
  • -user level00 - specify user
  • 2>/dev/null - show only 2 results

Now we have to run it, and get a flag.

[email protected]:~$ /bin/.../flag00
Congrats, now run getflag to get your flag!
[email protected]:~$ getflag
You have successfully executed getflag on a target account

Awesome warmup, I'm definitely looking forward to the next ones.

Keep learning and stay safe!

~ W3ndige