Nebula Level19: A Newbie’s Approach

Nebula Level19: A Newbie’s Approach

We reached the last challenge of Nebula exercises, level19. This challenge deals with the basic way on how processes work on Linux systems.

 

What you’ll need to know…

  • Processes on Unix

 

Level19

Looking at the code on the main page of level19, we quickly see something interesting, the execution of a shell.
The problem is the shell will only run if the user root started the program flag19. If we were root and ran the program, we would have a shell under the flag19 account. But we are not root or have the ability to become root. Or do we?
Quick aside note: in Linux every process has a parent. When the system fires up, init is created by the kernel and all the processes are their children (or grandchildren and so forth and so on). Now, if we start a process (parent) that also starts a process (children) and for some reason the parent dies before the children, then it becomes orphan. In this case, init will kind of “adopt” this orphan. Can you see why this is useful?
We can apply all this theory so we can solve this last challenge. We create a program that starts flag19, but that program needs to die before the execution of flag19 arrives at line 28.

To solve the challenge, I’ll use my SUID program.

SUID
Remember this code?

I’ll also write the program that will call flag19 and pass to it the commands to compile my SUID program.

level19.c

Now, it’s just a matter of compiling this C program with gcc -o level19 level19.c.

Run the executable file produced by the last command and you’ll see a new one under the /home/flag19 directory.

Files

And now, like previous challenges, it’s just a matter of running the moveaxme executable and collect the flag.

Result level19

All Nebula challenges have been solved!!!

Challenges completed: 20/20

 

Mitigation

I’ll wait for suggestions for this one!

 

Walkthrough

https://www.youtube.com/watch?v=tC7e9jySIk4=06m57s

 

Further Reading

Leave a Reply

Your email address will not be published. Required fields are marked *