Posts

Showing posts from November, 2019

Nebula Level01

Level01 Task There is a vulnerability in the below programs to be executed, can you find it? To do this level, log in as the level01 account with password level01. Files for this level can be found in /home/flag01. Source code (level1.c) download 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 #include <stdlib.h> #include <unistd.h> #include <string.h> #include <sys/types.h> #include <stdio.h> int main ( int argc , char ** argv , char ** envp ) { gid_t gid ; uid_t uid ; gid = getegid (); uid = geteuid (); setresgid ( gid , gid , gid ); setresuid ( uid , uid , uid ); system ( "/usr/bin/env echo and now what?" ); } Solution We login into the machine: ssh level01@192.168.195.5  From the given task, files are in " flag01 " home: level01@nebula:~$ cd /home/flag01  level01@nebula:/home/flag01$ ls    flag01               ...

Nebula Level00

Image
Level00 Task This level requires you to find a Set User ID program that will run as the "flag00" account. You could also find this by carefully looking in the top-level directories in/for suspicious looking directories. Alternatively, look at the find man page. To access this level, log in as level00 with password level00. Solution For this level, we have been provided with a username and password to log in to the nebula machine which for my current setup has an address of 192.168.195.10 so we can easily ssh into the machine. ssh level00@192.168.195.5 So, what is expected of us is to find a Set User ID program. But what is a set User ID program? In simplest terms, a Set User ID program is a Linux program that has the setuid flag set. So what is a setuid flag? A setuid flag is a Linux file permission flag which when set allow users to run executable file with the permission of the file's owner. Why is finding a setuid program important in a privilege esc...