reddit hackernews mail facebook facebook linkedin

Exploit Exercices, Nebula - level00

Nebula is part of Exploit Exercises, it covers a variety of simple and intermediate challenges that cover Linux privilege escalation, common scripting language issues, and file system race conditions.

This level requires you to find a Set User ID program that will run as the “flag00” account. You could also find this by carefully looking in top level directories in / for suspicious looking directories. Alternatively, look at the find man page.

In this first level, you have to find a file owned by flag00 with suid bit. A single command can do the trick:

find / -user flag00 -perm /6000

Alternatively you can use -uid 999 where 999 is the user id of flag00 which can be found in /etc/passwd. This outputs the same result:

find / -user 999 -perm -u+s

/bin/.../flag00 is the key. When you run it you become another user due to the suid. Here is the POC:

Exploit Exercises Nebula Level00

The redirection is only used to avoid the errors triggered by the system when you try to read a forbidden directory.