Hints for nebula exploit exercises

I would assume that if you're already here looking for this you probably already know about exploit exercises. But if not, go check out the site and specifically the nebula exercise that corresponds to this page.


look at the setuid man page to learn more about it what it does.

Find out how to locate files/executables with a setuid bit

$ find / -perm /u=s -user flag00

work your magic...


know about how linux finds executables and symbolic links

recognize that the program has a vulnerability in the way it envokes echo. use the knowledge from the first step to exploit this knowledge


For this level we can see that the programmer is wise to us changing the bin directory but that they are still pulling in a username which we control...


As it says crontab runs every few minutes; from checking the script in flag03's home directory we can see what's happening just find a way to exploit it

I choose to just create a simple shell script:


but I'm thinking another interesting thing would be to create a setuid program and have the cron update everything so we having lasting permissions as flag03


In this level again, a knowledge of symbolic links is key


This level requires some knowledge of unix file permissions so you can snoop around for juicy looking files. Finally an understanding of how the SSH encryption and connection process works [1]

  1. understanding the ssh encryption and connection process (digitalocean tut)


As said in the description a knowledge of how unix systems stored passwords; once that part is figured out. John the ripper can help with the rest.


To start cd to the flag07 directory and have a look at the files, from there it's possible to find enough information to get started. Now all that's left is to find a way to inject getflag.

Bonus hint:

Make sure to properly URL encode


those pesky file permissions again, just poke around in flag08's home directory to see what juicy files we can get our eyes on.

Bonus hint:

WireShark Analyze > follow > tcp


very interesting, after trying the usual exploits i stumbled across the possibility of doing something like this:

which works! However, after all that time I spent figuring that out it turns out 'flag09 -a' gives you the interactive command line as the flag09 user! Trivial from there...so simple yet for me; so hard to find


interesting, trying various things to solve this one and then... in my home directory there's a file called x. I go ahead and take a look in there and low and behold it seems to be a token. It worked to sign into flag10 but that's not how it was supposed to go...

I'll have to work on finding the real way of exploiting this one

That's all

That's as far as I had time to get so far. I hope that you found these hints helpful without spoiling the fun.

Anything else let me know in the comments below.

Tutorial created by 0x6f0