We covered the solution walkthrough of levels 01-19 of Nebula exploit exercises that let you practice your Linux privilege escalation skills. This includes exploiting SUID bit set binaries, cron jobs, environment variables & misconfigured file permissions python vulnerable modules such as pickle module, path expansion, shared libraries & coding errors.

Get OSCP Study Notes

Burp Suite Study Notes

The Complete Practical Web Application Penetration Testing Course

Highlights | Levels Breakdown

Level00

This level requires you to find a Set User ID program that will run as the “flag00” account. You could also find this by carefully looking in top level directories in / for suspicious looking directories.

Alternatively, look at the find man page.

Level01

There is a vulnerability in the below program that allows arbitrary programs to be executed, can you find it?

Level02

There is a vulnerability in the below program that allows arbitrary programs to be executed, can you find it?

Level03

Check the home directory of flag03 and take note of the files there.

There is a crontab that is called every couple of minutes.

Level04

This level requires you to read the token file, but the code restricts the files that can be read. Find a way to bypass it 🙂

Level05

Check the flag05 home directory. You are looking for weak directory permissions

Level06

The flag06 account credentials came from a legacy unix system.

Level07

The flag07 user was writing their very first perl program that allowed them to ping hosts to see if they were reachable from the web server.

Level08

World readable files strike again. Check what that user was up to, and use it to log into flag08 account.

Level09

There’s a C setuid wrapper for some vulnerable PHP code.

Level10

The setuid binary at /home/flag10/flag10 binary will upload any file given, as long as it meets the requirements of the access() system call.

Level11

The /home/flag11/flag11 binary processes standard input and executes a shell command.

There are two ways of completing this level, you may wish to do both 🙂

Level12

There is a backdoor process listening on port 50001.

Linux Privilege Escalation Techniques Used In the Walkthrough

We used a combination of file processing and editing to grab or extract the credentials from the password file located at /etc/passwd.

We analyze a code written in C language. It reads a token file based on the current user’s permissions which we need to bypass.
Basically we bypass this restriction in Linux by creating symbolic link to the file in question.

Video Walkthrough | P1

Video Walkthrough | P2

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles