I’ve started to have a look at the challenges offered by exploit-exercises.com and thought I’d document my progress.
This post is about Nebula Level 00. The information about this level says:
This level requires you to find a Set User ID program that will run as the “flag00” account. You could also find this by carefully looking in top level directories in / for suspicious looking directories.
Alternatively, look at the find man page.
To access this level, log in as level00 with the password of level00 .
This is a pretty simple challenge, but did mean I had to learn all about normal unix filesystem permissions and the more advanced setuid/setguid/stickybit permissions I also learned how to suppress errors from the find command and how to better use the find and man command.
The command I used was
find / -perm -u=s 2>/dev/null
I’ll break down what this does:
- find – search for files in a directory hierarchy
- / – start at the root of the filesystem
- -perm -u=s – find files that have the setuid bit set in their permissions
- 2>/dev/null – discard all errors (mostly about not having permission to scan directories)
One of the results was /bin/…/flag00. This (…\) is a suspicious looking directory! Running ll /bin/…/flag00 showed me that the owner was flag00 and the setuid bit was indeed set so I ran the file which told me to now run getflag then changed the user to flag00. Running getflag gave me a success message.
What I liked about this was that I had a shell running as the flag00 user so I could run other commands like whoami before typing exit to get out of the shell. At the time, I had no idea how I was put into a new shell, but it all becomes clearer in the next level…
Pingback: Exploit Exercises – Nebula – Level 01 | Graeme Robinson's blog