13 August 2012

Exploit.Exercise.com - Nebula - Level00

I decided to try my hand at a war game over at Exploit Exercises. I figured it was a good way to keep my mind sharp. Before reading my spoilers you should give them a try yourself.

Level00 wants you to find a Set User ID program that is hidden in the filesystem. Level00 says that the SUID program runs as user 'flag00'.

The linux command find works really well for this task.

The level00 documentation gives us two clues about the file. It is executable and it runs as the 'flag00' user. From looking at the man page, we know we can find files with those criteria.

Running this command
[email protected]:~$ find / -user flag00 -executable -print
returns a bunch of permission errors.

So we run this to clean it up (send the errors to /dev/null)
[email protected]:~$ find / -user flag00 -executable -print 2> /dev/null
/home/flag00
/bin/.../flag00

Checking out /home/flag00 doesn't seem to show anything interesting
[email protected]:~$ ls -la /home/flag00
total 20
drwxr-x---  2 flag00 level00 4096 2011-11-20 20:21 .
drwxr-xr-x 43 root   root    4096 2011-11-20 20:21 ..
-rw-r--r--  1 flag00 flag00   220 2011-05-18 02:54 .bash_logout
-rw-r--r--  1 flag00 flag00  3353 2011-05-18 02:54 .bashrc
-rw-r--r--  1 flag00 flag00   675 2011-05-18 02:54 .profile

Let's check out
[email protected]:~$ ls -la /bin/.../flag00
-rwsr-x--- 1 flag00 level00 7358 2011-11-20 21:22 /bin/.../flag00

There we go, its executable. Let's try it out.
[email protected]:~$ /bin/.../flag00
Congrats, now run getflag to get your flag!

And finally we get what we came for...
[email protected]:~$ getflag
You have successfully executed getflag on a target account
[email protected]:~$