Nebula Level 00

I’m going to start with the Nebula live CD from exploit-exercises.com.  These challenges have been around for a while so I’m sure there are a million write-ups on how to complete them.  I haven’t read any of them and I’ve never attempted the challenges before so I am going in blind.

For these challenges I’ll be using Oracles VirtualBox to run a Kali 2 virtual machine as my “attacker” machine.  I setup a second virtual machine to run the Nebula live CD which I downloaded from the exploit-exercises website.  Both machines are configured with a network card on a VirtualBox internal network so they can communicate with each other, but not the rest of my network, or the internet.  I am running a DHCP server from my Kali system to provide Nebula with an IP address.  This is a good safety measure to take when running virtual machines that you download from the internet.  Who knows what kind of nasty stuff could be hiding in them.

The Nebula live CD has 20 levels (level00-level19) each of which presents a different challenge.  According to the instructions you login with the username and password of the level that you are trying to complete.  For example to attempt the level01 challenge you login with the username “level01” and password “level01”.  It looks like SSH is enabled so I can do most of the work from my Kali machine using a remote session.

Level 00 instructions

About
This level requires you to find a Set User ID program that will run as the “flag00” account. You could also find this by carefully looking in top level directories in / for suspicious looking directories.

Alternatively, look at the find man page.

To access this level, log in as level00 with the password of level00.

Source code
There is no source code available for this level

Ok simple enough.

I started by doing a search from the root of the file system for any files with the setuid flag owned by the user flag00.

find / -perm -u+s -user flag00

The output was ugly due to all of the Permission Denied messages for folders that level00 is not allowed to access. I omitted the error messages by running the following command

find / -perm -u+s -user flag00 2>/dev/null

I received the following output

/bin/…/flag00
/rofs/bin/…/flag00

I guess they tried to hide the file by naming a folder “…”
I run the executable

/rofs/bin/…/flag00

and get the message

Congrats, now run getflag to get your flag

I also notice that my username changed from level00 to flag00 giving me new access rights. I follow the instructions and run

getflag
You have successfully executed getflag on a target account

Cool! With level00 complete it’s on to level01. I am planning on doing video recordings for some challenges but since this one basically involved running a search for a file I am not going to bother.

Leave a Reply

Your email address will not be published. Required fields are marked *