Level00

This level requires you to find a Set User ID program that will run as the "flag00" account. You could also find this by carefully looking in top level directories in / for suspicious looking directories. Alternatively, look at the find man page.

To access this level, log in as level00 with the password of level00.

Solution

We need to find a file that is setuid.

# find / -user flag00 -perm -4000 -exec ls -ldb {} \; >/tmp/results

This needs a bit of explanation:

  1. We start the search in "/" the root directory.
  2. We are filtering for files owned by user "flag00"
  3. We are filtering for permissions identified as "-4000" this means that all the permission bits must be set (see man find). In this case -4000 means that the setuid bit must be set and all others are optional (i.e. we don't care how the u-user, g-group, o-other permissions are set).
  4. For each match we execute ls -ldb where {} is a placeholder for the filepath being matched. \; tells find that you have reached the end of arguments for the command being executed. See the excerpt from man find (see section -exec command ;).
  5. Finally the results are saved to a file /tmp/results

Of course, once you find the file, just execute it and you are done!

NetworkSecurity/Nebula/Level00 (last edited 2017-11-28 22:31:38 by scot)