Image of Nebula Terminal

This level requires you to find a Set User ID program that will run as the “flag00” account. You could also find this by carefully looking in top level directories in / for suspicious looking directories. Alternatively, look at the find man page.

To access this level, log in as level00 with the password of level00.

Source code

There is no source code available for this level

Solution

First I tried to go to path of flag00 account (generic /home/flag00).

level00@nebula:~$ cd /home/flag00/

And then I tried to list everything in that folder:

level00@nebula:/home/flag00$ ls
level00@nebula:/home/flag00$ ls -al
total 5
drwxr-x--- 2 flag00 level00   66 Nov 20  2011 .
drwxr-xr-x 1 root   root     200 Aug 27  2012 ..
-rw-r--r-- 1 flag00 flag00   220 May 18  2011 .bash_logout
-rw-r--r-- 1 flag00 flag00  3353 May 18  2011 .bashrc
-rw-r--r-- 1 flag00 flag00   675 May 18  2011 .profile
level00@nebula:/home/flag00$

Nothing in it. No Set User ID program. Fine! How do I search at system level for a No Set User ID program? Well, like that:

level00@nebula:/home/flag00$ find / -user flag00 -perm -4000 -exec ls -ldb {} \;
-rwsr-x--- 1 flag00 level00 7358 Nov 20  2011 /bin/.../flag00
find: `/etc/chatscripts': Permission denied
find: `/etc/ppp/peers': Permission denied
find: `/etc/ssl/private': Permission denied
find: `/home/flag01': Permission denied
find: `/home/flag02': Permission denied
find: `/home/flag03': Permission denied
find: `/home/flag04': Permission denied
find: `/home/flag05': Permission denied
find: `/home/flag06': Permission denied
find: `/home/flag07': Permission denied
find: `/home/flag08': Permission denied
find: `/home/flag09': Permission denied
find: `/home/flag10': Permission denied
find: `/home/flag11': Permission denied
find: `/home/flag12': Permission denied
find: `/home/flag13': Permission denied
find: `/home/flag14': Permission denied
find: `/home/flag15': Permission denied
find: `/home/flag16': Permission denied
find: `/home/flag17': Permission denied
find: `/home/flag18': Permission denied
find: `/home/flag19': Permission denied
find: `/home/level01': Permission denied
find: `/home/level02': Permission denied
find: `/home/level03': Permission denied
find: `/home/level04': Permission denied
find: `/home/level05': Permission denied
find: `/home/level06': Permission denied
find: `/home/level07': Permission denied
find: `/home/level08': Permission denied
find: `/home/level09': Permission denied
find: `/home/level10': Permission denied
find: `/home/level11': Permission denied
find: `/home/level12': Permission denied
find: `/home/level13': Permission denied
find: `/home/level14': Permission denied
find: `/home/level15': Permission denied
find: `/home/level16': Permission denied
find: `/home/level17': Permission denied
find: `/home/level18': Permission denied
find: `/home/level19': Permission denied
find: `/home/nebula/.ssh': Permission denied
find: `/proc/tty/driver': Permission denied
find: `/proc/1/task/1/fd': Permission denied
find: `/proc/1/task/1/fdinfo': Permission denied
find: `/proc/1/task/1/ns': Permission denied
find: `/proc/1/fd': Permission denied
find: `/proc/1/fdinfo': Permission denied
find: `/proc/1/ns': Permission denied
find: `/proc/2/task/2/fd': Permission denied
find: `/proc/2/task/2/fdinfo': Permission denied
find: `/proc/2/task/2/ns': Permission denied
find: `/proc/2/fd': Permission denied
find: `/proc/2/fdinfo': Permission denied
find: `/proc/2/ns': Permission denied
find: `/proc/3/task/3/fd': Permission denied
find: `/proc/3/task/3/fdinfo': Permission denied
find: `/proc/3/task/3/ns': Permission denied
find: `/proc/3/fd': Permission denied
find: `/proc/3/fdinfo': Permission denied
find: `/proc/3/ns': Permission denied
find: `/proc/6/task/6/fd': Permission denied
find: `/proc/6/task/6/fdinfo': Permission denied
find: `/proc/6/task/6/ns': Permission denied
find: `/proc/6/fd': Permission denied
find: `/proc/6/fdinfo': Permission denied
find: `/proc/6/ns': Permission denied
find: `/proc/7/task/7/fd': Permission denied
find: `/proc/7/task/7/fdinfo': Permission denied
find: `/proc/7/task/7/ns': Permission denied
find: `/proc/7/fd': Permission denied
find: `/proc/7/fdinfo': Permission denied
find: `/proc/7/ns': Permission denied
find: `/proc/8/task/8/fd': Permission denied
find: `/proc/8/task/8/fdinfo': Permission denied
find: `/proc/8/task/8/ns': Permission denied
find: `/proc/8/fd': Permission denied
find: `/proc/8/fdinfo': Permission denied
find: `/proc/8/ns': Permission denied
find: `/proc/9/task/9/fd': Permission denied
find: `/proc/9/task/9/fdinfo': Permission denied
find: `/proc/9/task/9/ns': Permission denied
find: `/proc/9/fd': Permission denied
find: `/proc/9/fdinfo': Permission denied
find: `/proc/9/ns': Permission denied
find: `/proc/10/task/10/fd': Permission denied
find: `/proc/10/task/10/fdinfo': Permission denied
find: `/proc/10/task/10/ns': Permission denied
find: `/proc/10/fd': Permission denied
find: `/proc/10/fdinfo': Permission denied
find: `/proc/10/ns': Permission denied
find: `/proc/11/task/11/fd': Permission denied
find: `/proc/11/task/11/fdinfo': Permission denied
find: `/proc/11/task/11/ns': Permission denied
find: `/proc/11/fd': Permission denied
find: `/proc/11/fdinfo': Permission denied
find: `/proc/11/ns': Permission denied
find: `/proc/12/task/12/fd': Permission denied
find: `/proc/12/task/12/fdinfo': Permission denied
find: `/proc/12/task/12/ns': Permission denied
find: `/proc/12/fd': Permission denied
find: `/proc/12/fdinfo': Permission denied
find: `/proc/12/ns': Permission denied
find: `/proc/13/task/13/fd': Permission denied
find: `/proc/13/task/13/fdinfo': Permission denied
find: `/proc/13/task/13/ns': Permission denied
find: `/proc/13/fd': Permission denied
find: `/proc/13/fdinfo': Permission denied
find: `/proc/13/ns': Permission denied
find: `/proc/14/task/14/fd': Permission denied
find: `/proc/14/task/14/fdinfo': Permission denied
find: `/proc/14/task/14/ns': Permission denied
find: `/proc/14/fd': Permission denied
find: `/proc/14/fdinfo': Permission denied
find: `/proc/14/ns': Permission denied
find: `/proc/15/task/15/fd': Permission denied
find: `/proc/15/task/15/fdinfo': Permission denied
find: `/proc/15/task/15/ns': Permission denied
find: `/proc/15/fd': Permission denied
find: `/proc/15/fdinfo': Permission denied
find: `/proc/15/ns': Permission denied
find: `/proc/16/task/16/fd': Permission denied
find: `/proc/16/task/16/fdinfo': Permission denied
find: `/proc/16/task/16/ns': Permission denied
find: `/proc/16/fd': Permission denied
find: `/proc/16/fdinfo': Permission denied
find: `/proc/16/ns': Permission denied
find: `/proc/18/task/18/fd': Permission denied
find: `/proc/18/task/18/fdinfo': Permission denied
find: `/proc/18/task/18/ns': Permission denied
find: `/proc/18/fd': Permission denied
find: `/proc/18/fdinfo': Permission denied
find: `/proc/18/ns': Permission denied
find: `/proc/20/task/20/fd': Permission denied
find: `/proc/20/task/20/fdinfo': Permission denied
find: `/proc/20/task/20/ns': Permission denied
find: `/proc/20/fd': Permission denied
find: `/proc/20/fdinfo': Permission denied
find: `/proc/20/ns': Permission denied
find: `/proc/21/task/21/fd': Permission denied
find: `/proc/21/task/21/fdinfo': Permission denied
find: `/proc/21/task/21/ns': Permission denied
find: `/proc/21/fd': Permission denied
find: `/proc/21/fdinfo': Permission denied
find: `/proc/21/ns': Permission denied
find: `/proc/22/task/22/fd': Permission denied
find: `/proc/22/task/22/fdinfo': Permission denied
find: `/proc/22/task/22/ns': Permission denied
find: `/proc/22/fd': Permission denied
find: `/proc/22/fdinfo': Permission denied
find: `/proc/22/ns': Permission denied
find: `/proc/23/task/23/fd': Permission denied
find: `/proc/23/task/23/fdinfo': Permission denied
find: `/proc/23/task/23/ns': Permission denied
find: `/proc/23/fd': Permission denied
find: `/proc/23/fdinfo': Permission denied
find: `/proc/23/ns': Permission denied
find: `/proc/24/task/24/fd': Permission denied
find: `/proc/24/task/24/fdinfo': Permission denied
find: `/proc/24/task/24/ns': Permission denied
find: `/proc/24/fd': Permission denied
find: `/proc/24/fdinfo': Permission denied
find: `/proc/24/ns': Permission denied
find: `/proc/25/task/25/fd': Permission denied
find: `/proc/25/task/25/fdinfo': Permission denied
find: `/proc/25/task/25/ns': Permission denied
find: `/proc/25/fd': Permission denied
find: `/proc/25/fdinfo': Permission denied
find: `/proc/25/ns': Permission denied
find: `/proc/26/task/26/fd': Permission denied
find: `/proc/26/task/26/fdinfo': Permission denied
find: `/proc/26/task/26/ns': Permission denied
find: `/proc/26/fd': Permission denied
find: `/proc/26/fdinfo': Permission denied
find: `/proc/26/ns': Permission denied
find: `/proc/34/task/34/fd': Permission denied
find: `/proc/34/task/34/fdinfo': Permission denied
find: `/proc/34/task/34/ns': Permission denied
find: `/proc/34/fd': Permission denied
find: `/proc/34/fdinfo': Permission denied
find: `/proc/34/ns': Permission denied
find: `/proc/35/task/35/fd': Permission denied
find: `/proc/35/task/35/fdinfo': Permission denied
find: `/proc/35/task/35/ns': Permission denied
find: `/proc/35/fd': Permission denied
find: `/proc/35/fdinfo': Permission denied
find: `/proc/35/ns': Permission denied
find: `/proc/36/task/36/fd': Permission denied
find: `/proc/36/task/36/fdinfo': Permission denied
find: `/proc/36/task/36/ns': Permission denied
find: `/proc/36/fd': Permission denied
find: `/proc/36/fdinfo': Permission denied
find: `/proc/36/ns': Permission denied
find: `/proc/37/task/37/fd': Permission denied
find: `/proc/37/task/37/fdinfo': Permission denied
find: `/proc/37/task/37/ns': Permission denied
find: `/proc/37/fd': Permission denied
find: `/proc/37/fdinfo': Permission denied
find: `/proc/37/ns': Permission denied
find: `/proc/38/task/38/fd': Permission denied
find: `/proc/38/task/38/fdinfo': Permission denied
find: `/proc/38/task/38/ns': Permission denied
find: `/proc/38/fd': Permission denied
find: `/proc/38/fdinfo': Permission denied
find: `/proc/38/ns': Permission denied
find: `/proc/58/task/58/fd': Permission denied
find: `/proc/58/task/58/fdinfo': Permission denied
find: `/proc/58/task/58/ns': Permission denied
find: `/proc/58/fd': Permission denied
find: `/proc/58/fdinfo': Permission denied
find: `/proc/58/ns': Permission denied
find: `/proc/298/task/298/fd': Permission denied
find: `/proc/298/task/298/fdinfo': Permission denied
find: `/proc/298/task/298/ns': Permission denied
find: `/proc/298/fd': Permission denied
find: `/proc/298/fdinfo': Permission denied
find: `/proc/298/ns': Permission denied
find: `/proc/691/task/691/fd': Permission denied
find: `/proc/691/task/691/fdinfo': Permission denied
find: `/proc/691/task/691/ns': Permission denied
find: `/proc/691/fd': Permission denied
find: `/proc/691/fdinfo': Permission denied
find: `/proc/691/ns': Permission denied
find: `/proc/697/task/697/fd': Permission denied
find: `/proc/697/task/697/fdinfo': Permission denied
find: `/proc/697/task/697/ns': Permission denied
find: `/proc/697/task/712/fd': Permission denied
find: `/proc/697/task/712/fdinfo': Permission denied
find: `/proc/697/task/712/ns': Permission denied
find: `/proc/697/task/713/fd': Permission denied
find: `/proc/697/task/713/fdinfo': Permission denied
find: `/proc/697/task/713/ns': Permission denied
find: `/proc/697/task/714/fd': Permission denied
find: `/proc/697/task/714/fdinfo': Permission denied
find: `/proc/697/task/714/ns': Permission denied
find: `/proc/697/fd': Permission denied
find: `/proc/697/fdinfo': Permission denied
find: `/proc/697/ns': Permission denied
find: `/proc/699/task/699/fd': Permission denied
find: `/proc/699/task/699/fdinfo': Permission denied
find: `/proc/699/task/699/ns': Permission denied
find: `/proc/699/fd': Permission denied
find: `/proc/699/fdinfo': Permission denied
find: `/proc/699/ns': Permission denied
find: `/proc/709/task/709/fd': Permission denied
find: `/proc/709/task/709/fdinfo': Permission denied
find: `/proc/709/task/709/ns': Permission denied
find: `/proc/709/fd': Permission denied
find: `/proc/709/fdinfo': Permission denied
find: `/proc/709/ns': Permission denied
find: `/proc/793/task/793/fd': Permission denied
find: `/proc/793/task/793/fdinfo': Permission denied
find: `/proc/793/task/793/ns': Permission denied
find: `/proc/793/fd': Permission denied
find: `/proc/793/fdinfo': Permission denied
find: `/proc/793/ns': Permission denied
find: `/proc/794/task/794/fd': Permission denied
find: `/proc/794/task/794/fdinfo': Permission denied
find: `/proc/794/task/794/ns': Permission denied
find: `/proc/794/fd': Permission denied
find: `/proc/794/fdinfo': Permission denied
find: `/proc/794/ns': Permission denied
find: `/proc/874/task/874/fd': Permission denied
find: `/proc/874/task/874/fdinfo': Permission denied
find: `/proc/874/task/874/ns': Permission denied
find: `/proc/874/fd': Permission denied
find: `/proc/874/fdinfo': Permission denied
find: `/proc/874/ns': Permission denied
find: `/proc/898/task/898/fd': Permission denied
find: `/proc/898/task/898/fdinfo': Permission denied
find: `/proc/898/task/898/ns': Permission denied
find: `/proc/898/fd': Permission denied
find: `/proc/898/fdinfo': Permission denied
find: `/proc/898/ns': Permission denied
find: `/proc/973/task/973/fd': Permission denied
find: `/proc/973/task/973/fdinfo': Permission denied
find: `/proc/973/task/973/ns': Permission denied
find: `/proc/973/fd': Permission denied
find: `/proc/973/fdinfo': Permission denied
find: `/proc/973/ns': Permission denied
find: `/proc/1000/task/1000/fd': Permission denied
find: `/proc/1000/task/1000/fdinfo': Permission denied
find: `/proc/1000/task/1000/ns': Permission denied
find: `/proc/1000/fd': Permission denied
find: `/proc/1000/fdinfo': Permission denied
find: `/proc/1000/ns': Permission denied
find: `/proc/1044/task/1044/fd': Permission denied
find: `/proc/1044/task/1044/fdinfo': Permission denied
find: `/proc/1044/task/1044/ns': Permission denied
find: `/proc/1044/fd': Permission denied
find: `/proc/1044/fdinfo': Permission denied
find: `/proc/1044/ns': Permission denied
find: `/proc/1047/task/1047/fd': Permission denied
find: `/proc/1047/task/1047/fdinfo': Permission denied
find: `/proc/1047/task/1047/ns': Permission denied
find: `/proc/1047/fd': Permission denied
find: `/proc/1047/fdinfo': Permission denied
find: `/proc/1047/ns': Permission denied
find: `/proc/1052/task/1052/fd': Permission denied
find: `/proc/1052/task/1052/fdinfo': Permission denied
find: `/proc/1052/task/1052/ns': Permission denied
find: `/proc/1052/fd': Permission denied
find: `/proc/1052/fdinfo': Permission denied
find: `/proc/1052/ns': Permission denied
find: `/proc/1053/task/1053/fd': Permission denied
find: `/proc/1053/task/1053/fdinfo': Permission denied
find: `/proc/1053/task/1053/ns': Permission denied
find: `/proc/1053/fd': Permission denied
find: `/proc/1053/fdinfo': Permission denied
find: `/proc/1053/ns': Permission denied
find: `/proc/1055/task/1055/fd': Permission denied
find: `/proc/1055/task/1055/fdinfo': Permission denied
find: `/proc/1055/task/1055/ns': Permission denied
find: `/proc/1055/fd': Permission denied
find: `/proc/1055/fdinfo': Permission denied
find: `/proc/1055/ns': Permission denied
find: `/proc/1061/task/1061/fd': Permission denied
find: `/proc/1061/task/1061/fdinfo': Permission denied
find: `/proc/1061/task/1061/ns': Permission denied
find: `/proc/1061/fd': Permission denied
find: `/proc/1061/fdinfo': Permission denied
find: `/proc/1061/ns': Permission denied
find: `/proc/1062/task/1062/fd': Permission denied
find: `/proc/1062/task/1062/fdinfo': Permission denied
find: `/proc/1062/task/1062/ns': Permission denied
find: `/proc/1062/fd': Permission denied
find: `/proc/1062/fdinfo': Permission denied
find: `/proc/1062/ns': Permission denied
find: `/proc/1138/task/1138/fd': Permission denied
find: `/proc/1138/task/1138/fdinfo': Permission denied
find: `/proc/1138/task/1138/ns': Permission denied
find: `/proc/1138/fd': Permission denied
find: `/proc/1138/fdinfo': Permission denied
find: `/proc/1138/ns': Permission denied
find: `/proc/1148/task/1148/fd': Permission denied
find: `/proc/1148/task/1148/fdinfo': Permission denied
find: `/proc/1148/task/1148/ns': Permission denied
find: `/proc/1148/fd': Permission denied
find: `/proc/1148/fdinfo': Permission denied
find: `/proc/1148/ns': Permission denied
find: `/proc/1155/task/1155/fd': Permission denied
find: `/proc/1155/task/1155/fdinfo': Permission denied
find: `/proc/1155/task/1155/ns': Permission denied
find: `/proc/1155/fd': Permission denied
find: `/proc/1155/fdinfo': Permission denied
find: `/proc/1155/ns': Permission denied
find: `/proc/2750/task/2750/fd': Permission denied
find: `/proc/2750/task/2750/fdinfo': Permission denied
find: `/proc/2750/task/2750/ns': Permission denied
find: `/proc/2750/fd': Permission denied
find: `/proc/2750/fdinfo': Permission denied
find: `/proc/2750/ns': Permission denied
find: `/proc/2764/task/2764/fd': Permission denied
find: `/proc/2764/task/2764/fdinfo': Permission denied
find: `/proc/2764/task/2764/ns': Permission denied
find: `/proc/2764/fd': Permission denied
find: `/proc/2764/fdinfo': Permission denied
find: `/proc/2764/ns': Permission denied
find: `/proc/2912/task/2912/fd/5': No such file or directory
find: `/proc/2912/task/2912/fdinfo/5': No such file or directory
find: `/proc/2912/fd/5': No such file or directory
find: `/proc/2912/fdinfo/5': No such file or directory
find: `/root': Permission denied
find: `/sys/kernel/debug': Permission denied
find: `/var/cache/ldconfig': Permission denied
find: `/var/lib/php5': Permission denied
find: `/var/lib/sudo': Permission denied
find: `/var/spool/cron/atjobs': Permission denied
find: `/var/spool/cron/atspool': Permission denied
find: `/var/spool/cron/crontabs': Permission denied
-rwsr-x--- 1 flag00 level00 7358 Nov 20  2011 /rofs/bin/.../flag00
find: `/rofs/etc/chatscripts': Permission denied
find: `/rofs/etc/ppp/peers': Permission denied
find: `/rofs/etc/ssl/private': Permission denied
find: `/rofs/home/flag01': Permission denied
find: `/rofs/home/flag02': Permission denied
find: `/rofs/home/flag03': Permission denied
find: `/rofs/home/flag04': Permission denied
find: `/rofs/home/flag05': Permission denied
find: `/rofs/home/flag06': Permission denied
find: `/rofs/home/flag07': Permission denied
find: `/rofs/home/flag08': Permission denied
find: `/rofs/home/flag09': Permission denied
find: `/rofs/home/flag10': Permission denied
find: `/rofs/home/flag11': Permission denied
find: `/rofs/home/flag12': Permission denied
find: `/rofs/home/flag13': Permission denied
find: `/rofs/home/flag14': Permission denied
find: `/rofs/home/flag15': Permission denied
find: `/rofs/home/flag16': Permission denied
find: `/rofs/home/flag17': Permission denied
find: `/rofs/home/flag18': Permission denied
find: `/rofs/home/flag19': Permission denied
find: `/rofs/home/level01': Permission denied
find: `/rofs/home/level02': Permission denied
find: `/rofs/home/level03': Permission denied
find: `/rofs/home/level04': Permission denied
find: `/rofs/home/level05': Permission denied
find: `/rofs/home/level06': Permission denied
find: `/rofs/home/level07': Permission denied
find: `/rofs/home/level08': Permission denied
find: `/rofs/home/level09': Permission denied
find: `/rofs/home/level10': Permission denied
find: `/rofs/home/level11': Permission denied
find: `/rofs/home/level12': Permission denied
find: `/rofs/home/level13': Permission denied
find: `/rofs/home/level14': Permission denied
find: `/rofs/home/level15': Permission denied
find: `/rofs/home/level16': Permission denied
find: `/rofs/home/level17': Permission denied
find: `/rofs/home/level18': Permission denied
find: `/rofs/home/level19': Permission denied
find: `/rofs/home/nebula/.ssh': Permission denied
find: `/rofs/root': Permission denied
find: `/rofs/var/cache/ldconfig': Permission denied
find: `/rofs/var/lib/php5': Permission denied
find: `/rofs/var/lib/sudo': Permission denied
find: `/rofs/var/spool/cron/atjobs': Permission denied
find: `/rofs/var/spool/cron/atspool': Permission denied
find: `/rofs/var/spool/cron/crontabs': Permission denied
level00@nebula:/home/flag00$

Now that we found out the location (-rwsr-x— 1 flag00 level00 7358 Nov 20 2011 /rofs/bin/…​/flag00) let’s go there:

level00@nebula:/home/flag00$ cd /rofs/bin/.../
level00@nebula:/rofs/bin/...$ ls -al
total 8
drwxr-xr-x 2 root   root      29 Nov 20  2011 .
drwxr-xr-x 3 root   root    2728 Aug 18  2012 ..
-rwsr-x--- 1 flag00 level00 7358 Nov 20  2011 flag00
level00@nebula:/rofs/bin/...$
And as the last step we have to run flag00 and getflag.
level00@nebula:/rofs/bin/...$ ./flag00
Congrats, now run getflag to get your flag!
flag00@nebula:/rofs/bin/...$ getflag
You have successfully executed getflag on a target account
flag00@nebula:/rofs/bin/...$

From now, our main task will be to run getflag on a target account (example flagNN, where NN is the number of the level). The valid response in order to finish your level is: “You have successfully executed getflag on a target account”.