Nebula Level00

-
Level00

 Task

This level requires you to find a Set User ID program that will run as the "flag00" account. You could also find this by carefully looking in the top-level directories in/for suspicious looking directories. Alternatively, look at the find man page.
To access this level, log in as level00 with password level00.

 Solution

For this level, we have been provided with a username and password to log in to the nebula machine which for my current setup has an address of 192.168.195.10 so we can easily ssh into the machine.

 ssh level00@192.168.195.5
So, what is expected of us is to find a Set User ID program. But what is a set User ID program? In simplest terms, a Set User ID program is a Linux program that has the setuid flag set. So what is a setuid flag? A setuid flag is a Linux file permission flag which when set allow users to run executable file with the permission of the file's owner.

Why is finding a setuid program important in a privilege escalation context? because if the file belongs to a user with a higher privilege and something is misconfigured or done improperly, then the current user can easily escalate to the privilege of the file's owner.

 We have already been provided with hints for this level on how to find the setuid file. From the question, it is stated that we should look at the find manual page, therefore using find we could filter out all setuid files.

Note, the above command reflects the final result, initially, I had to run:

 level00@nebula:~$ find / -perm -u+s 2>&1 

The above command is to run find searching for any file with setuid flag set, this yielded a lot of result and errors for those files we don't have permission to access and hence this command to filter out all errors:

level00@nebula:~$ find / -perm -u+s 2>&1 | grep -e "find" -v

at this point, we find a file named flag00 then we filter for "flag" using:

 level00@nebula:~$ find / -perm -u+s 2>&1 | grep -e "find" -v | grep -e "flag" 

this yielded:

 level00@nebula:~$ find / -perm -u+s 2>&1 | grep -e "find" -v
/bin/.../flag00
/rofs/bin/.../flag00

running:

 level00@nebula:~$ /bin/.../flag00
Congrats, now run getflag to get your flag! 

so the program is telling us to run getflag command to get the flag:

 level00@nebula:~$ getflag 
You have successfully executed getflag on a target account

So at this level, the concept of setuid file has been introduced, the next levels will show how this can be exploited to escalate privilege.

 References
https://en.wikipedia.org/wiki/Setuid
https://en.wikipedia.org/wiki/Find_(Unix)
https://www.gnu.org/software/findutils/manual/html_mono/find.html

Comments

Post a Comment

Popular posts from this blog

Before You Dive In...

-
I have always wanted to write, partly to improve my writing skills but also to document my research in reverse code engineering, software exploitation and computer programming in general, my current goal is to have at least a post a week, but since am just starting out I do not know how feasible that will be considering school and my need for quality over quantity. In the coming weeks, I will post on varying topics from software reverse engineering to exploitation and basically anything that interest me. My primary aim is just to cement my knowledge in my fields of interest by giving back to the community as I learn and hopefully along the way help someone trying to learn. A quick disclaimer though is that I am no professional at either writing or the subject on which I will be writing (at least for now),  am just trying to navigate through the vast ocean of knowledge hoping to pick one or two things along the way, so corrections, constructive criticism, and even unconstructive ones
Read more

OverTheWire: Bandit Lab

-
Image
Bismillahirrahmanirrahim (In the name of Allah the most gracious, the most merciful) So recently I and @electro decided to solve wargames and CTFs in the spirit of honing the skills and because we are preparing for something really important (another post for another day). We decided to start with the labs at overthewire  and the first on the list was Bandit Lab. Bandit Lab was a fun experience, mostly easy, except for one or two tricky levels, level 26 and level 33 in particular. This Labs weren't so difficult but required a bit of thinking outside the box, hence why am documenting them. NB : this writeup doesn't include our thought process while solving the levels Level 26 Level Description When we attempt to login to this level using the private key obtained from the previous level we get automatically logged out and since the level goal already informed us that we are dealing with a different shell, we need to figure out what it is and how to break out of it. Above is the
Read more

SSRF Notes: PortSwigger Labs Continued

-
Image
  Lab 3: SSRF with blacklist-based input filter Task :  This lab has a stock check feature which fetches data from an internal system.  To solve the lab, change the stock check URL to access the admin interface at http://localhost/admin and delete the user carlos.  The developer has deployed two weak anti-SSRF defenses that you will need to bypass. This Lab is just like the previous ones except that we need to bypass blacklist filters. This is what a normal request to the stock check feature looks like: Passing http://localhost/admin to the stockApi parameter does not work this time. we get this response: That's the filter blocking us. It turned out 127.0.0.1, localhost, admin are all blacklisted so cannot be used. So after trying a couple things the following was able to bypass the filter: We get the following response: So to complete the Lab we just proceed to delete carlos. And that's it Lab solved.
Read more