There is a vulnerability in the below program that allows arbitrary programs to be executed, can you find it? Files for this level can be found in /home/flag01.

#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys types.h="">
#include <stdio.h>

int main(int argc, char **argv, char **envp)
  gid_t gid;
  uid_t uid;

  gid = getegid();
  uid = geteuid();

  setresgid(gid, gid, gid);
  setresuid(uid, uid, uid);

  system("/usr/bin/env echo and now what?");

This program has been compiled and the executable is available in /home/flag01.


Nebula is part of Exploit Exercises, it covers a variety of simple and intermediate challenges that cover Linux privilege escalation, common scripting language issues, and file system race conditions.

This level requires you to find a Set User ID program that will run as the “flag00” account. You could also find this by carefully looking in top level directories in / for suspicious looking directories. Alternatively, look at the find man page.

In this first level, you have to find a file owned by flag00 with suid bit. A single command can do the trick:

find / -user flag00 -perm /6000

I recently read a nice article on InfoSec Institute (again) about Null byte injection. However I met some problems to make it works in a real situation so I decided to write my own.

First of all, this vulnerability has been fully patched in PHP 5.3.4 (until someone else find another buggy function…), that means you need to install an old version of PHP. Grab it in PHP releases archive. After compiled and configured, it’s very important to set magic_quotes_gpc=Off in the php.ini (it won’t work with ini_set in the script itself).

Then imagine an index.php like this:

include( '/var/www/pages/'.$_GET['p'].'.php' );

And a /pages/store.php like this:

echo 'This is the store !';

If you call it directly it will works but in that case index.php is usually used to display common stuffs like header and footer.


There is a lot of resources available about hacking and security, here are my favorites.

Some blogs I frequently visit from bounty hunters themself. They explain their findings, why it occurs, how they were able to exploit and sometimes how much they win. I visit them once a week and I also follow their writer on Twitter to not miss the bugs they don’t review.

In my opinion the best way to learn hacking and security is to read public disclosure. It’s a great resources of tips and tools to use to make your life easier. Some of my favorites issues, the ones I like to read again and again to understand the vulnerability and try to discern the state of mind of the hacker who found it. It’s also a good way to improve your report skill and see the way hackers communicates with security teams to keep good feelings.

Each Time I learn a new kind of issue, I try to reproduce it on on my local lab, then I try it on security programs I’m currently working on. Sometime it works, sometimes not but bug bounty is also about patience. Happy reading !


VulnHub is a training platform which provides “a catalogue of ‘stuff’ that is (legally) ‘breakable, hackable & exploitable’”, understand: a pool of vulnerable virtual machines. The downloads are essentially .iso, .vbox or .ova which can be opened with VirtualBox or VMware.

The machines are created and proposed by the community itself. Also different versions of the famous Damn Vulnerable Linux and the Exploit Exercises suite are in. You will have to deal with many many different kinds of vulnerabilities like file permissions, web application, shellcode, heap overflows, password cracking, privilege escalation and so on…

For instance, you can read the solution of one of those challenge on InfoSec Institute website: The Tr0ll Challenge