We covered the solution walkthrough of levels 01-19 of Nebula exploit exercises that let you practice your Linux privilege escalation skills. This includes exploiting SUID bit set binaries, cron jobs, environment variables & misconfigured file permissions python vulnerable modules such as pickle module, path expansion, shared libraries & coding errors.
The Complete Practical Web Application Penetration Testing Course
Highlights | Levels Breakdown
Level00
This level requires you to find a Set User ID program that will run as the “flag00” account. You could also find this by carefully looking in top level directories in / for suspicious looking directories.
Alternatively, look at the find man page.
Level01
There is a vulnerability in the below program that allows arbitrary programs to be executed, can you find it?
Level02
There is a vulnerability in the below program that allows arbitrary programs to be executed, can you find it?
Level03
Check the home directory of flag03 and take note of the files there.
There is a crontab that is called every couple of minutes.
Level04
This level requires you to read the token file, but the code restricts the files that can be read. Find a way to bypass it 🙂
Level05
Check the flag05 home directory. You are looking for weak directory permissions
Level06
The flag06 account credentials came from a legacy unix system.
Level07
The flag07 user was writing their very first perl program that allowed them to ping hosts to see if they were reachable from the web server.
Level08
World readable files strike again. Check what that user was up to, and use it to log into flag08 account.
Level09
There’s a C setuid wrapper for some vulnerable PHP code.
Level10
The setuid binary at /home/flag10/flag10 binary will upload any file given, as long as it meets the requirements of the access() system call.
Level11
The /home/flag11/flag11 binary processes standard input and executes a shell command.
There are two ways of completing this level, you may wish to do both 🙂
Level12
There is a backdoor process listening on port 50001.
Linux Privilege Escalation Techniques Used In the Walkthrough
We used a combination of file processing and editing to grab or extract the credentials from the password file located at /etc/passwd.
We analyze a code written in C language. It reads a token file based on the current user’s permissions which we need to bypass.
Basically we bypass this restriction in Linux by creating symbolic link to the file in question.
Video Walkthrough | P1
Video Walkthrough | P2
