Nebula is the first VM of exploit-exercises.com and I highly recommend it to those who want to challenge themselves to discover vulnerabilities, practice privilege escalation, exploit development, debugging, reverse engineering and other cyber security issues.
It consists of 20 different levels. Let’s start by taking a look at level 00.
To Download It!
Nebula – level 00
The first thing you need to do is downloading the VM, run it and log in using user: level00 and password level00 if you didn’t do it yet.
Read carefully the description of the exercise. The goal is to capture the flag. We don’t know where it is, else it would be too easy, isn’t it? Anyway the description gives us some hints.
Focus on the keywords Set User ID and flag00.
flag00 is simply the name of a user account. What is a User ID? In case you don’t know it you can just google it.
You’ll see some concepts like setuid, setguid and the sticky bit. Overall they have to do with file permissions. A file (or a directory) can be owned by a particular user or group of users and only them may have the right to read (r), write (w) or execute (x) the file.
Setuid stands for set user id and Setgid stands for set group id. They are access right flags that are often used to allow users to run a program with elevated privileges in order to perform a specific task. Instead of increasing the rights of an user or group of users we can simply change the rights of a file temporary. This can reduce the security risk.
How do we set the user id and group id?
Well we can use the chmod command. Also check chown and chgrp commands. I’ll leave that to you.
When you use chmod you can use the symbolic syntax or the octal syntax .
chmod followed by the entity that has got some permissions and is identified by a letter:
chmod a=rwx filename
- u for user
- g for group
- o for others
- a for anybody
followed by = and by the letters identifying the permissions:
- r for read
- w for write
- x for execute
instead of using letters, numbers are used. The first one identifies the permissions of the user, the second one is for the group and the third one for anybody.
chmod 777 filename
let’s see the meaning of all the numbers.
- 0 – no access rights
- 1 – x execution
- 2 – w write
- 3 – wx write and execution
- 4 – r read
- 5 – rx read and execution
- 6 – rw read and write
- 7 – rwx read, write and execution
What is the sticky bit?
It is an optional access right flag that can be set using chmod for files and directories. It is identified by the octal number 1000 or the letter t or T (depending on the system).
The optional setuid bit instead is identified by the letter s.
How to check the permissions of a file or a directory on Unix-like systems?
For example you can use:
ls -l file/directory name
stat -c file/directory name
This should be enough to give you the necessary knowledge for solving the challenge. I recommend you to try by yourself first and if you don’t find the way to solve it soon don’t worry. Chances are it is the first challenge you do, so that’s alright. Try harder! If you really got stuck and you want to see the solution, check the paragraph below.
Solution – Walkthrough
Read the description of the exercise again. You need to find the files owned by the account flag00. You can either browse recursively the root directory until you see something suspicious or you can search the file directly. The second option seems a wiser choice. Do you see that the word find in the description is in bold? That’s a hint. find is actually the name of a useful program.
If you don’t know how to use it, RTFM 🙂
man is your friend here.
try to issue the command man find:
We need to find an executable file that is owned by flag00 and has the seguid flag set.
find / perm /u=s -user flag00 | less
Find the files in the root directory (/) owned by the user flag00 (-user flag00) with the setuid bit set (perm /u=s). I also piped (|) the command into less, in order to allow to scroll up and down because the list of directories and files can’t fit the screen.
Okay, so it seems there is an interesting executable file called flag00 in the folder /bin/…/ .
Let’s cd (change directory) into it:
now we can check the files contained into the directory along with their permissions:
-a (all) do not ignore directories starting with .
-s (size) print the allocated size of each file in blocks
-l use a long listing format
Let’s try to run the flag00 file:
./ indicates the current directory here and flag00 is the filename.
And we finally get the flag:
Author: Fabio Baroni Date: 2016-10-02 00:28:03