Suspicious directories

         Nebula 00 Agenda: “This level requires you to find a Set User ID program that will run as the “flag00” account. You could also find this by carefully looking in top level directories in/for suspicious looking directories.”

To omit all “permission denied” messages from “find” we can redirect the Standard Error Output from generally Display/Screen to some file (e.g. to a special file /dev/null) and avoid seeing the error messages on the screen! For more details, you can get acquainted with man util.

 1 $find / -user flag00 2>/dev/null
 2 
 3 	/bin/.../flag00
 4 	/home/flag00
 5 	/home/flag00/.bash_logout
 6 	/home/flag00/.bashrc
 7 	/home/flag00/.profile
 8 	/rofs/bin/.../flag00
 9 	/rofs/home/flag00
10 	/rofs/home/flag00/.bash_logout
11 	/rofs/home/flag00/.bashrc
12 	/rofs/home/flag00/.profile

It’s easy to notice those “suspicious looking directories”). BTW as we can find out that “rofs” (if you’re intrigued and noticed this of course) is a read-only filesystem that allows to create a read-only mountpoint of a read-write directory on the system (or at least, something similar =)). However, it doesn’t matter.

1 $ls -l /bin/.../flag00
2 	-rwsr-x--- 1 flag00 level00 7358 2011-11-20 21:22 /bin/.../flag00

At last, the execution of “/bin/…/flag00”, provide to such desirable hint. Therefore, the execution of “getflag” file is our general purpouse at each level.

PS. some useful links:

• wikipedia.org/wiki/Setuid
• wikipedia.org/wiki/File_system_permissions

If you’re looking for something fun-filled and aimed at absolute beginners, you can try wargame offered by OverTheWire community.