Nebula Level00

Level00

Task

This level requires you to find a Set User ID program that will run as the "flag00" account. You could also find this by carefully looking in the top-level directories in/for suspicious looking directories. Alternatively, look at the find man page.
To access this level, log in as level00 with password level00.

Solution

For this level, we have been provided with a username and password to log in to the nebula machine which for my current setup has an address of 192.168.195.10 so we can easily ssh into the machine.

ssh level00@192.168.195.5


So, what is expected of us is to find a Set User ID program. But what is a set User ID program? In simplest terms, a Set User ID program is a Linux program that has the setuid flag set. So what is a setuid flag? A setuid flag is a Linux file permission flag which when set allow users to run executable file with the permission of the file's owner.

Why is finding a setuid program important in a privilege escalation context? because if the file belongs to a user with a higher privilege and something is misconfigured or done improperly, then the current user can easily escalate to the privilege of the file's owner.

We have already been provided with hints for this level on how to find the setuid file. From the question, it is stated that we should look at the find manual page, therefore using find we could filter out all setuid files.



Note, the above command reflects the final result, initially, I had to run:

level00@nebula:~$ find / -perm -u+s 2>&1 

The above command is to run find searching for any file with setuid flag set, this yielded a lot of result and errors for those files we don't have permission to access and hence this command to filter out all errors:

level00@nebula:~$ find / -perm -u+s 2>&1 | grep -e "find" -v

at this point, we find a file named flag00 then we filter for "flag" using:

level00@nebula:~$ find / -perm -u+s 2>&1 | grep -e "find" -v | grep -e "flag" 

this yielded:

level00@nebula:~$ find / -perm -u+s 2>&1 | grep -e "find" -v
/bin/.../flag00
/rofs/bin/.../flag00

running:

level00@nebula:~$ /bin/.../flag00
Congrats, now run getflag to get your flag! 

so the program is telling us to run getflag command to get the flag:

level00@nebula:~$ getflag 
You have successfully executed getflag on a target account

So at this level, the concept of setuid file has been introduced, the next levels will show how this can be exploited to escalate privilege.

References
https://en.wikipedia.org/wiki/Setuid
https://en.wikipedia.org/wiki/Find_(Unix)
https://www.gnu.org/software/findutils/manual/html_mono/find.html

Comments

Popular posts from this blog

Before You Dive In...

OverTheWire: Bandit Lab

SSRF Notes: PortSwigger Labs Continued