MattAndreko.com

"hostess is a code-slaying dragon found deep within the core of the earth, unearthing magma and vulnerabilities single handedly while using the other hand to pet his cat"

Exploit Exercises - Nebula 00

| Comments

Recently, I’ve been getting more and more back into computer security, one of my favorite topics. Part of this is research, and part is more practical, such as wargames or labs. One newer wargame that I’ve been playing is called “Nebula”, from the guys over at Exploit-Exercises. If you’re interested in security, please check out their site, as well as many other wargames. If this goes successfully, perhaps I’ll start going through my notes of otherwargames, publishing them as well.

For level 00, it’s fairly introductory. You’re supposed to find a SUID program, that you can run as the “flag00” user. I read a little on the find manual, since I don’t use the more advanced features often, and came up with this:

1
2
3
level00@nebula:~$ find / -executable -user flag00 2> /dev/null
/home/flag00
/bin/.../flag00

This find command, should show all files that are executable and owned by the user “flag00”. The “2> /dev/null” is just to redirect the standard error output to null, so I don’t see all the “Permission Denied” errors.
It looks like it found the flag00 user’s home folder, as well as an executable hidden in /bin/…/. I then executed it, which granted me access to the flag00 user. From there, I ran the “getflag” command, which I don’t think actually does anything on this VM, but oh well.

1
2
3
4
level00@nebula:~$ /bin/.../flag00
Congrats, now run getflag to get your flag!
flag00@nebula:~$ getflag
You have successfully executed getflag on a target account

There you have it, the first level down. It was trivial, but still a good learning experience.

Comments