Nebula Level00
Level00
Task
This level requires you to find a Set User ID program that will run as the "flag00" account. You could also find this by carefully looking in the top-level directories in/for suspicious looking directories. Alternatively, look at the find man page.
To access this level, log in as level00 with password level00.
Solution
For this level, we have been provided with a username and password to log in to the nebula machine which for my current setup has an address of 192.168.195.10 so we can easily ssh into the machine.
So, what is expected of us is to find a Set User ID program. But what is a set User ID program? In simplest terms, a Set User ID program is a Linux program that has the setuid flag set. So what is a setuid flag? A setuid flag is a Linux file permission flag which when set allow users to run executable file with the permission of the file's owner.
Why is finding a setuid program important in a privilege escalation context? because if the file belongs to a user with a higher privilege and something is misconfigured or done improperly, then the current user can easily escalate to the privilege of the file's owner.
We have already been provided with hints for this level on how to find the setuid file. From the question, it is stated that we should look at the find manual page, therefore using find we could filter out all setuid files.
Note, the above command reflects the final result, initially, I had to run:
at this point, we find a file named flag00 then we filter for "flag" using:
this yielded:
running:
so the program is telling us to run getflag command to get the flag:
So at this level, the concept of setuid file has been introduced, the next levels will show how this can be exploited to escalate privilege.
References
https://en.wikipedia.org/wiki/Setuid
https://en.wikipedia.org/wiki/Find_(Unix)
https://www.gnu.org/software/findutils/manual/html_mono/find.html
Task
This level requires you to find a Set User ID program that will run as the "flag00" account. You could also find this by carefully looking in the top-level directories in/for suspicious looking directories. Alternatively, look at the find man page.
To access this level, log in as level00 with password level00.
Solution
For this level, we have been provided with a username and password to log in to the nebula machine which for my current setup has an address of 192.168.195.10 so we can easily ssh into the machine.
ssh level00@192.168.195.5
So, what is expected of us is to find a Set User ID program. But what is a set User ID program? In simplest terms, a Set User ID program is a Linux program that has the setuid flag set. So what is a setuid flag? A setuid flag is a Linux file permission flag which when set allow users to run executable file with the permission of the file's owner.
Why is finding a setuid program important in a privilege escalation context? because if the file belongs to a user with a higher privilege and something is misconfigured or done improperly, then the current user can easily escalate to the privilege of the file's owner.
We have already been provided with hints for this level on how to find the setuid file. From the question, it is stated that we should look at the find manual page, therefore using find we could filter out all setuid files.
Note, the above command reflects the final result, initially, I had to run:
level00@nebula:~$ find / -perm -u+s 2>&1
The above command is to run find searching for any file with setuid flag set, this yielded a lot of result and errors for those files we don't have permission to access and hence this command to filter out all errors:
level00@nebula:~$ find / -perm -u+s 2>&1 | grep -e "find" -v
level00@nebula:~$ find / -perm -u+s 2>&1 | grep -e "find" -v | grep -e "flag"
level00@nebula:~$ find / -perm -u+s 2>&1 | grep -e "find" -v
/bin/.../flag00
/rofs/bin/.../flag00
level00@nebula:~$ /bin/.../flag00
Congrats, now run getflag to get your flag!
level00@nebula:~$ getflag
You have successfully executed getflag on a target account
References
https://en.wikipedia.org/wiki/Setuid
https://en.wikipedia.org/wiki/Find_(Unix)
https://www.gnu.org/software/findutils/manual/html_mono/find.html
Comments
Post a Comment