Nebula Level00: A Newbie’s Approach

Level00 falls in the category of SUID files which is something that I heard about but never had any practical experience. The goal here is to collect the flag through the getflag command.

What you’ll need to know…

find command

Other basic Unix commands

Level00

The instructions for level00 state that we need to find a SUID program which run as flag00 account.

First things first. A Set User ID (SUID) program is a risky type of file that can run with the privileges of another user, for instance, root. This Linux feature allows to improve security when properly used, but is can also be very nefarious when incorrectly used. Here’s an example of a SUID program.

Notice that under the owner permissions, instead of an “x” you have a “s” which means this is a SUID program and will run as root when you execute it.

Now, let’s see how will we going to discover that file.

Find command allows you to search for files owned by a specific user, which is accomplished with the “-user” option. But if you try it, you’ll a lot of “Permission denied”, so your command should be something like “find / -user flag00 2>/dev/null”. “2>/dev/null” means that we’ll redirect the stderr to the null device, which means that you throw out all the lines with errors.

After running that command we still have a few files. Let’s narrow it down by filtering for those that have the SUID bit set, using the “-perm” option.

Your final command should be “find / -user flag00 -perm -4000 2>/dev/null“.

After running it, you get only two files and if you run the first one, you’ll login in flag00 account. From here, you can just run the getflag command and obtain your trophy of level00.

Challenges completed: 1/20

Mitigation

As one can imagine, the simplest way to prevent vulnerabilities through SUID programs is not writing them in the first place. If for some reason you really need to write this type of programs, make sure you don’t give an interface to the user that allows him to write commands. If you can’t, make sure to sanitize all the input.

Always do a proper inventory and account for the SUID programs.

Walkthrough

Further Reading