Category: Nebula

Nebula: Level00

About

This level requires you to find a Set User ID program that will run as the “flag00” account. You could also find this by carefully looking in top level directories in / for suspicious looking directories.

Alternatively, look at the find man page.

To access this level, log in as level00 with the password of level00.

Source code

There is no source code available for this level

 

Solution

As hinted use the command “find” to find an executable with the correct permissions.  The command that can be used to do this is as follows.

$ find / -perm /u=s -user flag00

Here find tries to find any executable inside the root directory with permissions for the user (u) to set (s) upon execution (-perm /u=s) we then specify the user (-user flag00).  However this creates an output which we cannot completely scroll through therefore we need to somehow truncate it to only show the things we want.

capture

These “Permission denied” lies are from outputs to stderr where stdin=0, stdout=1, stderr=2.  Therefore adding a redirection flag at the end we can send the error output to somewhere.

$ find / -perm /u=s -user flag00 2>somewhere

However upon trying to send it to a file such as asdf.txt, you get permission denied.  We can send it to a special file /dev/null which has a file size of 0 no matter what.  Anything you write to it will be deleted and thus we are “writing something without writing anything”.  (there are others such as /dev/full and /dev/zero)  This gives us…

$ find / -perm /u=s -user flag00 2>/dev/null

capture

We can see that there are two candidates for an executable.  However we can’t see the actual directory in which they are stored in.  However..just typing the directory directly into the terminal will still execute it.  If we wanted to double check we would always use ls -al to check the permission flags but this will do

$ /rofs/bin/.../flag00

capture

References:

http://askubuntu.com/questions/12098/what-does-outputting-to-dev-null-accomplish-in-bash-scripts

https://linux.die.net/man/1/chmod

https://linux.die.net/man/1/find

https://linux.die.net/man/1/find

http://www.aboutlinux.info/2006/01/inputoutput-redirection-made-simple-in.html