Nebula exploit exercises walkthrough – level01


There is a vulnerability in the below program that allows arbitrary programs to be executed, can you find it?

The executable is located in the /home/flag01 directory. On running it, we get the expected output:

Importantly, if we check the permissions on the executable:

We can see that this file also has the suid bit set. The problem then is, how do we get this to run “getflag”?

The executable does nothing with command line parameters so we can’t pass anything in there. It does however call echo to output the text. echo is a built-in command to bash (i.e. not a discrete executable like ping would be), so we normally couldn’t override what it does.

However notice that the system call uses /user/bin/env before echo – where is this normally seen? At the start of scripts where we define the interpreter with a shebang.

The reason that /usr/bin/env is used is that scripts need a full path to the interpreter. python could be anywhere, and it is awkward to modify scripts to use a full path from system to system. /usr/bin/env searches the path for the command passed to it and runs it.

This means we can provide our own echo, modify the path so that this echo is called in preference to the built-in, and then we can run arbitrary commands.

The easiest way to provide our own echo that runs getflag is to just create a symbolic link.

Again – relatively simple. Symbolic links are useful tools for bypassing name and location checks!

6 thoughts on “Nebula exploit exercises walkthrough – level01

  1. Permalink  ⋅ Reply


    December 14, 2015 at 3:15am

    ln -s /bin/getflag echo need sudo permission, it not work

    • Permalink  ⋅ Reply


      January 8, 2016 at 4:12am

      Don’t try to create the symbolic link in the /home/flag01 , create it in your home directory instead /home/level01 . you don’t have access to the write in the folder /home/flag01

    • Permalink  ⋅ Reply


      January 21, 2016 at 9:23am

      Without giving too much away – try putting the symbolic link somewhere you have permission to execute – you will also need to modify the path to reflect this change of course.

    • Permalink  ⋅ Reply


      January 23, 2016 at 12:37am

      The permissions are a problem only if you lack write access in your current directory. Try:
      cd ~
      ln -s /bin/getflag echo

    • Permalink  ⋅ Reply


      February 10, 2016 at 2:11pm

      Yep, it doesn’t. Try to use ‘ln -s /bin/getflag /tmp/echo’ and change PATH to ‘/tmp’

  2. Permalink  ⋅ Reply


    April 20, 2016 at 9:41pm

    Alternatively, you may just change your PATH to include the local directory and run l1; it will use the /home/level01/echo program.

Leave a Reply

Your email will not be published. Name and Email fields are required.