Nebula – walkthrough – EXPLOIT (level00)

Nebula : flag00

Hey, guys i just decided to solve the Nebula machine from exploit education.

I’ve also made a youtube video about it which you can refer to.

Youtube link : https://youtu.be/9Xd28FjugM8

Blog : https://blankdash.wordpress.com/2020/02/18/nebula-walkthrough-exploit-level00/

nebula is a vulnurable VM that teaches a variety of common (and less than common) weaknesses and vulnerabilities in Linux. Below listed are some of the things that we would be able to learn.

  1. SUID files
  2. Permissions
  3. Race conditions
  4. Shell meta-variables
  5. $PATH weaknesses
  6. Scripting language weaknesses
  7. Binary compilation failures

At the end of Nebula, the user will have a reasonably thorough understanding of local attacks against Linux systems, and a cursory look at some of the remote attacks that are possible.

So lets get started, Download the image from here the above give url and mount it on your VM. The username and passwords are as given below for the VM.

login


Username: nebula

Password: nebula

Navigate to level00, the task for the level00 is to run a executable file thats located somewhere on the filesystem. Inorder to do that we will use the find command.

As always manual pages would help, “man find”.


Login to the VM using the uname and password : nebula

once logged in, lets try using the find command to locate to the file.

Since this file a Set UID program, it would have a executable permission. Lets try finding all executable files in the system.

$ find / -perm 4000

find

You can see this would return in a lot of errors since, we do not have permission to access the entire file system.


errors

Now lets try to redirect all of the errors to a different place in the filesystem which we have access to, in most cases temperory storage spaces like “/dev/null”, “/dev/shm”, “/tmp/” would be a good choice to redirect errors. Inorder to redirect errors you should be familiar with standin, standout and errors in the file system.

Stanin – is represented by 0

standout – is represented by 1

Errors – are represented by 2

Thus running the below command will redirect all errors to a different place, allowing us only to view the results.

$ find / -perm 4000 2>/dev/null


redirect errors

This leaves us with nothing, since we do not have an exact match. We could find partial matches for the file permissions in the system.

$ find / -perm -4000 2>/dev/null



results

We do have a lot of results, what we can do is to pipe the output to more and look at all the results or something similar, but we do know that its named “flag00” so i could grep for all results that contain the name “flag00”

$ find / -perm -4000 2>/dev/null | grep flag00


filter for flag

 We have a couple of results, lets take a look into the “/bin/…/flag00”

“…” – here is a directory.

$ cd /bin/…/

$ ls -la

$ ./flag00


execute file

so we get an error, looking at the challenge, we do know that we have to login as “level00” with a password “level00” to execute the file. Lets try doing that.

$ su level00

$ cd /bin/…/

$ ./flag00

we might have to run “getflag” to complete the challenge

$ getflag


getflag

Thats it for level00, hope you have learnt something. Ill come up with another post for the next level.

Later.

-blankdash

E-mail me when people leave their comments –

You need to be a member of CISO Platform to add comments!

Join CISO Platform