I’ve felt for a long time that whilst I understand a lot of vulnerabilities and exploits, I don’t have enough knowledge to actually build exploits myself. Reading is all well and good, but doing is better, especially when it comes to development.
To make learning easier, there are several virtual machine images you can download which have a series of challenges, getting progressively harder. The one I chose to do is called Nebula from exploit-exercises.com – it was recommended on several forums.
Getting up and running is very easy – download the ISO and run it from any virtualisation software. I’m using Parallels on Mac OS X.
I’m going to go through each level one by one!
level00
This level requires you to find a Set User ID program that will run as the “flag00” account. You could also find this by carefully looking in top level directories in / for suspicious looking directories.
Alternatively, look at the find man page.
I always prefer the lazy, more reliable method i.e. using find.
We need to find an executable that is owned by flag00 and has the suid bit set. If suid is set, the executable will run as the owner of the file, rather than the person running it.
The command here is simple:
level00@nebula:~$ find / -perm /u=s -user flag00 2>/dev/null
/bin/.../flag00
/rofs/bin/.../flag00
The directory name of … has been used to try to hide the file.
level00@nebula:~$ ls -asl /bin/.../
total 8
0 drwxr-xr-x 2 root root 29 2011-11-20 21:22 .
0 drwxr-xr-x 3 root root 2728 2012-08-18 02:50 ..
8 -rwsr-x--- 1 flag00 level00 7358 2011-11-20 21:22 flag00
As you can see this is owned by flag00 and instead of just being executable (-rwx-r-x—) it is suid (-rws-r-x—).
Run this file and you end up in a flag00 shell:
level00@nebula:~$ /bin/.../flag00
Congrats, now run getflag to get your flag!
flag00@nebula:~$ getflag
You have successfully executed getflag on a target account
iZsh
June 5, 2014 at 2:13pmHello,
it’s great that you’re enjoying the game, but in the wargames community, doing write-ups about levels is considered disrespectful toward the authors.
People who need help to solve levels can usually get educated hints (as private message) on dedicated IRC channels.
cybergibbons
June 5, 2014 at 4:17pmWhy is Nebula different to any CTF write-up? Unless you seek out solutions, you won’t find them. There are also at least 5 other walkthroughs out there already.
iZsh
June 6, 2014 at 9:33amWe can of course displace the discussion, but does it matter for the authors in the end? IMHO, anything else is just a debating distraction from this main point.
Having said that and keeping in mind those are not the issue I was trying to raise, I’ll answer your question.
I think CTF write-ups are different because the intent and wishes of the authors are different. It’s usually a “one time game’. For some CTF write-ups are even mandatory, and authors welcome them because they want to see how people solve their challs and it’s their reward for designing them since they know (almost) no one else will ever play those challs anyway.
Whereas for wargames, usually the intent is to keep it alive as long as possible. The approach is more pedagogical. The authors also like to know/see how people are struggling, how long it takes them to solve a given level, which levels seem more difficult than others. They like to know people can’t cheat because the game is still on-going. As soon as you have write-ups out there, the taste is sour.
Also, let’s be real, someone struggling for days and stuck on a specific level will eventually google it. If there are no solutions out there, he will be forced to come to IRC (or mail), and that enable the authors to give educated hints (which is way better than a full solution, from a pedagogic point of view). It can also happens that you’re trying to find a general idea about what the vulnerability would be and you stumble upon the full solution without intending to.
NB: I’m really sorry if this comes up as very harsh, I didn’t mean to, after all I subscribed to your feed because I liked your blog. But having played a lot of wargames, and seeing on IRC how authors are usually sad when they discover write-ups online, I thought I’d drop a comment about it.
cybergibbons
June 6, 2014 at 10:15pmI really have to disagree.
A lot of CTFs are preserved as wargames after they are complete. Simply avoid the write-ups if you don’t want to spoil them.
The authors of Nebula seem to have implicitly approved write-ups on twitter: https://twitter.com/exploitexercise/status/146830531580010496
There doesn’t appear to be IRC help for Nebula, and the authors of Nebula seem to have been un-contactable for almost a year.
Wargames authors who want to keep write-ups off the web seem to explicitly request that you don’t write up the challenges. For example the Matasano crypto challenges ask for this. Yet they are fine with Microcorruption being written up.
I’ve spoken to a few people about this, and none of them think this is bad etiquette. There are enough write-ups of wargames available that I think this would have been raised before?
J
December 15, 2014 at 12:18pmThanks! Keep it up!
Eduard
October 2, 2015 at 3:20amHi all!
I see that the exploit exercises website is down! do u know if it’s momentary or completely down?
Eduard
October 12, 2015 at 6:23pmHi.
I am really interested in trying the nebula exercises but I see that the exploit-exercises website is down, do you know if this is for a while or it’s in a different domain?
Thanks!
Han
February 12, 2017 at 3:37amI don’t get it. In reality, what is next after I found /bin/…/flag00?? How do I make use of it to gain root privilege to run commands as root??
Dritzz
January 28, 2018 at 2:07amWhile I appreciate the write up, is it possible to have a page that just gives hints with a link at the bottom for the walk through, instead of only the walk through?