Nebula is part of Exploit Exercises, it covers a variety of simple and intermediate challenges that cover Linux privilege escalation, common scripting language issues, and file system race conditions.

This level requires you to find a Set User ID program that will run as the “flag00” account. You could also find this by carefully looking in top level directories in / for suspicious looking directories. Alternatively, look at the find man page.

In this first level, you have to find a file owned by flag00 with suid bit. A single command can do the trick:

find / -user flag00 -perm /6000

Alternatively you can use -uid 999 where 999 is the user id of flag00 which can be found in /etc/passwd. This outputs the same result:

find / -user 999 -perm -u+s

/bin/.../flag00 is the key. When you run it you become another user due to the suid. Here is the POC:

Exploit Exercises Nebula Level00

The redirection is only used to avoid the errors triggered by the system when you try to read a forbidden directory.

AWS takeover through SSRF in JavaScript

Here is the story of a bug I found in a private bug bounty program on [Hackerone]({:target="_blank"}.It took me ex...… Continue reading

« Exploit Exercices, Nebula - level01

Published on January 13, 2015

Null Byte Injection »

Published on January 10, 2015