We covered the solution walkthrough of levels 01-19 of Nebula exploit exercises that let you practice your Linux privilege escalation skills. This includes exploiting SUID bit set binaries, cron jobs, environment variables & misconfigured file permissions python vulnerable modules such as pickle module, path expansion, shared libraries & coding errors.

Get OSCP Study Notes

Burp Suite Study Notes

The Complete Practical Web Application Penetration Testing Course

Highlights | Levels Breakdown


This level requires you to find a Set User ID program that will run as the “flag00” account. You could also find this by carefully looking in top level directories in / for suspicious looking directories.

Alternatively, look at the find man page.


There is a vulnerability in the below program that allows arbitrary programs to be executed, can you find it?


There is a vulnerability in the below program that allows arbitrary programs to be executed, can you find it?


Check the home directory of flag03 and take note of the files there.

There is a crontab that is called every couple of minutes.


This level requires you to read the token file, but the code restricts the files that can be read. Find a way to bypass it 🙂


Check the flag05 home directory. You are looking for weak directory permissions


The flag06 account credentials came from a legacy unix system.


The flag07 user was writing their very first perl program that allowed them to ping hosts to see if they were reachable from the web server.


World readable files strike again. Check what that user was up to, and use it to log into flag08 account.


There’s a C setuid wrapper for some vulnerable PHP code.


The setuid binary at /home/flag10/flag10 binary will upload any file given, as long as it meets the requirements of the access() system call.


The /home/flag11/flag11 binary processes standard input and executes a shell command.

There are two ways of completing this level, you may wish to do both 🙂


There is a backdoor process listening on port 50001.

Linux Privilege Escalation Techniques Used In the Walkthrough

We used a combination of file processing and editing to grab or extract the credentials from the password file located at /etc/passwd.

We analyze a code written in C language. It reads a token file based on the current user’s permissions which we need to bypass.
Basically we bypass this restriction in Linux by creating symbolic link to the file in question.

Video Walkthrough | P1

Video Walkthrough | P2

About the Author

I create cybersecurity notes, digital marketing notes and online courses. I also provide digital marketing consulting including but not limited to SEO, Google & Meta ads and CRM administration.

View Articles