IntroSo this is more of a reminder post to myself to track my progress through this thing, but I thought I might as well do a post seeing as there are already about 6 other solutions out there and the authors don't seem to mind walkthroughs too much.
That being said, this is level 00. If your getting stuck on this, you should seriously try harder before you look at the solution. If you want to check your work however and think you have the solution, feel free to read on :)
For Nebula's level 00 exercise, we are tasked with finding a setuid program that will run as the flag00 user. We are also given the hint that reading the manual page for the find command may help us find where this file is located.
So my first approach to this was to look up the manual page for the find command. However the manual page for the find command contains many different options and switches. Lets try grep out anything mentioning setuid or something along those lines shall we?
Solving the Problem
First we log in with the username level00 and the password level00. Following this we issue the following command:
man find | grep -i suid
\( -perm -4000 -fprintf /root/suid.txt %#m %u %p\n \) , \We see that we can could run find / -perm -4000 to find all of the files with the setuid bit set from the root directory downwards. But why is this the case? If we look up setuid within Wikipedia we get the following information:
into /root/suid.txt and large files into /root/big.txt.
TheThus from this we can see that within the UNIX privilege management system, the first number (the 6 in chmod 6711) denotes if the file has setuid or setgid permissions or not. Thus by searching for files via find / -perm -4000 we are effectively searching for all of the files which have the setuid bit set. However this could return quite a few files, so lets pipe the output to a file and then cat the result.
setgidbits are normally set with the command
chmodby setting the high-order octal digit to 4 for
setuidor 2 for
chmod 6711 file" will set both the
setgidbits (2+4=6) (Wikipedia, 2015, June 12 2015, https://en.wikipedia.org/wiki/Setuid)
level00@nebula:~$ find / -perm -4000 > /tmp/results.txtAh, there we go :) We see that there is a file /bin/.../flag00 which seems to hold the suid flag that we need to complete this level. Lets check:
level00@nebula:~$ cat /tmp/results.txt
level00@nebula:~$ ls -alh /bin/.../flag00That looks like the one :) And if we execute it and then run getflag, we will see we have completed the challenge:
-rwsr-x--- 1 flag00 level00 7.2K 2011-11-20 21:22 /bin/.../flag00
Congrats, now run getflag to get your flag!
You have successfully executed getflag on a target account