Nebula - 00

After a long break from posting something, I’m pleased to start the new series - Exploit Development.

I decided to start with the Nebula challenge from exploit.education.

The idea is to walk through and document my journey in the order Nebula ⇾ Phoenix → Fusion.

Getting started

To get started you need to download a Nebula .iso file, you can find it here.

I’m currently running the live version of that VM. To log in, you can use nebula/nebula as credentials.

To access the first level, log in as level00 with the password of level00. For the sake of usability, I ssh to the machine as that user. The objective of the first level is to find the binary with the SUID bit set.

Finding the flag

To find that binary we will use the find command.

level00@nebula:/home/level00$ cd ~
level00@nebula:~$ find / -u=s 2>/dev/null | grep flag*

/ will start the search in the root directory

-perm will look for specific permissions for the file

-u=s will find only files with the SUID bit set

2>/dev/null redirecting all the errors to /dev/null to have a readable output

| grep flag* to display only results that start with the flag in the name

our find command will find a binary located in /bin/.../level00, let’s run it:

level00@nebula:~$ find / -perm -u=s 2>/dev/null | grep flag*
/bin/.../flag00
/rofs/bin/.../flag00

level00@nebula:~$ /bin/.../flag00 
Congrats, now run getflag to get your flag!

flag00@nebula:~$ getflag 
You have successfully executed getflag on a target account

flag00@nebula:~$ id
uid=999(flag00) gid=1001(level00) groups=999(flag00),1001(level00)