Before we get started on the How-To Basics of Nebula’s Level00, let’s briefly go over what Nebula OS is, and how it’s correlated to Operating System exploiting. Nebula is an exact linux replicated Operating System, with CTF feature, designed for the user to explore weaknesses in Linux Operating System. As stated in Nebula’s website, it touches over these core security concepts, which if you don’t know what it means, you should probably do some heavy research before tackling problems within the nebula exercises, as the topics below are crucial to successfully solve a problem.
- SUID files
- Race conditions
- Shell meta-variables
- $PATH weaknesses
- Scripting language weaknesses
- Binary compilation failures
Dummy’s Guide To Level00
As you may know, every user starts at level00. The whole objective of every level is to capture the flag. Now, the flag is difficult to grab, as it requires you to manipulate the operating system. With that said, let’s go through a step-by-step guide on obtaining flag00
Luckily, since it’s the first level of Nebula, they lenient the difficulty, which we won’t be tackling programming for now.
“This level requires you to find a Set User ID program that will run as the “flag00” account. You could also find this by carefully looking in top level directories in / for suspicious looking directories.”
Every hack comes with a little bit of research. For this level, we need to have a little background knowledge of what “Set User ID” is. SUID is basically a Unix access rights flags that allow users to run an executable with the permissions. It is a security protocol that allows users to run certain programs with escalated privileges. To ID a file that contains SUID, you need to look at the permission bits. Permission bits are formatted in octal, which each number in octal representing a file permission type. To go over a file permission:
ls -la <fileName>
This command allows you to look over the file permission type and file corresponding to the permission bit. In the level00, it states that we need to find the SUID program that will run as flag00. This indicates that the file we need to find has the permission bit of whatever SUID value has.
After a quick google search of which permission bit classify SUID, the octal value of SUID is 4000. After a quick google search of which permission bit classify SUID, the octal value of SUID is 4000. Octal values are a way to classify file permissions. For SUID, the starting permission bit that classify SUID is 4. So, that means that our file we we’re looking for contains the permission bit of 4000 and is located ./~ directory. Since there’s over a thousands of files under ./~ directory, we won’t have the time and effort to
stat -c each individual file, so we’re going to whip out bash and do some fancy commands to pinpoint our flag.
A useful command to search through a directory is the find command. Likewise, if that command is completely oblivious to you, MAN can always help.
Very simple yet efficient command to use.
For this step, you’re probably want to take a step back and go over how to use the find command to our advantage. Keep looking for the right find expression. In this level, we need to look for expression that’s searches through SUID bits and file called “flag”
Great! After you’re done reading the MAN page, hopefully you have a basic understanding of what “find” is, and how we can add keywords to it to limit our file search. Here’s the secret command we’re trying to use to look for our file. Remember what it mean before you actually type this into your linux terminal
find / -perm /u=s -user flag00
What is this arbitrary thing?!
Let’s dissect this.
*find /* <- We’re using the find to parse through ./~, as stated in level00 problem*-perm /u=s -user flag00* <- Since we're trying to locate the SUID program, this limits our search with files the SUID bit set for the user level00
Hopefully you won’t encounter errors while performing this simple command. Since we’re trying to capture the flag, obviously the file we’re trying to capture will contain the name “flag” After doing the find command, look for the path that contains the file name “flag” After typing the find command correctly, the terminal output bunch of path directory to files that contains SUID bit of 4000.It basically means the file were looking for is user permission Look through those path directories, and search for the file that looks oddly enough like a flag file.
If done correctly, you’re probably ended up finding this directory pathway.
Congrats! you’re almost done. Now, literally type the directory path, which is /bin/…/flag00 in your bash terminal. and now the computer will output this
Congrats, now run getflag to get your flag!
You successfully just type in “getflag” and you successfully captured the flag! Nice Job! level00 is completed, and that’s the basics of what CTF is all about! which is just “basically” getting the flag successfully.
You have successfully executed getflag on a target account
So what’s the whole big deal?
In conclusion,Level00 is just the basics. It teaches you what SUID are and how we can use the find command on pinpointing files, in this case, files that are vulnerable of being hacked. Knowing what permission bits are is a huge advantage when exploiting operating systems. In essence, just remember what permission bits are and how its correlated to file permission. Remembering the basics of file security is part of “ethical” hacking, or just average everyday computer knowledge you should know.
After you successful level00 hack, its time start hacking onto level01, which will know get the flag without being the user itself!a