Nebula: Level00

About

This level requires you to find a Set User ID program that will run as the “flag00” account. You could also find this by carefully looking in top level directories in / for suspicious looking directories.

Alternatively, look at the find man page.

To access this level, log in as level00 with the password of level00.

Source code

There is no source code available for this level

 

Solution

As hinted use the command “find” to find an executable with the correct permissions.  The command that can be used to do this is as follows.

$ find / -perm /u=s -user flag00

Here find tries to find any executable inside the root directory with permissions for the user (u) to set (s) upon execution (-perm /u=s) we then specify the user (-user flag00).  However this creates an output which we cannot completely scroll through therefore we need to somehow truncate it to only show the things we want.

capture

These “Permission denied” lies are from outputs to stderr where stdin=0, stdout=1, stderr=2.  Therefore adding a redirection flag at the end we can send the error output to somewhere.

$ find / -perm /u=s -user flag00 2>somewhere

However upon trying to send it to a file such as asdf.txt, you get permission denied.  We can send it to a special file /dev/null which has a file size of 0 no matter what.  Anything you write to it will be deleted and thus we are “writing something without writing anything”.  (there are others such as /dev/full and /dev/zero)  This gives us…

$ find / -perm /u=s -user flag00 2>/dev/null

capture

We can see that there are two candidates for an executable.  However we can’t see the actual directory in which they are stored in.  However..just typing the directory directly into the terminal will still execute it.  If we wanted to double check we would always use ls -al to check the permission flags but this will do

$ /rofs/bin/.../flag00

capture

References:

http://askubuntu.com/questions/12098/what-does-outputting-to-dev-null-accomplish-in-bash-scripts

https://linux.die.net/man/1/chmod

https://linux.die.net/man/1/find

https://linux.die.net/man/1/find

http://www.aboutlinux.info/2006/01/inputoutput-redirection-made-simple-in.html

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s