Nebula Level01: A Newbie’s Approach

Nebula Level01: A Newbie’s Approach

Still under the SUID programs category, level01 makes use of another trick in order to be solved, the manipulation of environment variables.


What you’ll need to know…

  • Use ln command
  • Environment Variables
  • Other basic Unix commands



If we analyze the code of level01 program, one of the first things that I notice is the use of a C function, system, and although it doesn’t receive input from the user, it’s still exploitable. Time to run the flag01 program.


This output is (obviously) caused by the system function, more specifically by the “echo and now what?”. But how about the “/usr/bin/env”? Imagine that you have multiple programs in your system called echo. Which one will be executed? The answer is the first one that appears in the PATH variable. This is ensured by the “/usr/bin/env”.

To find out where the echo is located, run the command “which echo”.


Then, cross-reference the path resultant with the paths in the PATH variable.


Notice the folder that contains the echo program, it’s almost the last one. If we were able to put an echo program in some other folder that appears before /bin, that would be the one that would run. But we don’t have write permissions on any of those…

So the solution is to append to the beginning, a location where we actually can write, /home/level01.


Now, my goal is to get a shell, so I’ll create a little C program called echo.


I compile the program using the command “gcc -o echo echo.c” and now I have a little program that gives me a shell.

Before I run the flag01 let’s recap. We have a program called flag01 that will call the first echo program it finds in the environment variable PATH. The first entry in this variable is /home/level01, inserted by us, and this folder contains an echo program written also by us, which will give us a shell.

Let’s check the current user, run the program and get the flag.

Solution of level01

Another solution, and if you didn’t want a shell, would be with symbolic links. Once more, we can add /home/level01 to the PATH and in this folder, place a symbolic link called echo which points to /bin/getflag. So, when you run the flag01 program, the following happens…

Another Solution for level01

Challenges completed: 2/20



Same advice as level00.



Further Reading

Leave a Reply

Your email address will not be published. Required fields are marked *