首先從nebula開始，nebula設(shè)置了19個level，level00-level19，每一個level對應(yīng)系統(tǒng)中的一個登陸賬號，每一個level也對應(yīng)home目錄下的flag00-flag19這些賬號。

一般來說如果你能用levelXX登陸，經(jīng)過提權(quán)你的賬號變成了flagXX，就表示你過關(guān)了。

下面會將每一個level的要求以及相關(guān)的代碼列出來，我自己的解決辦法和涉及到得知識點也會列出來，如果解決不了的那么會說明為什么解決不了。

level00

This level requires you to find a Set User ID program that will run as the "flag00" account. You could also find this by carefully looking in top level directories in / for suspicious looking directories.

Alternatively, look at the find man page.

To access this level, log in as level00 with the password of level00.

source code

There is no source code available for this level

首先用用戶名level00 和 密碼level00登陸nebula的測試系統(tǒng)。

根據(jù)題目的意思是查找一個二進制文件，可以用flag00這個賬號來運行，并且設(shè)置了set-user-id位。你可以通過從根目錄下挨個查找文件夾來找到，也可以通過find命令來查找。在這里肯定是通過find命令來查找。如果不懂的可以通過man find來查看find命令的使用方法。

首先我們應(yīng)該明白什么是set-user-id 位，以及為什么要設(shè)置set-user-id位，設(shè)置了這個位之后我們能干什么，以及l(fā)inux下Real UID，Effective UID和Saved UID之間的區(qū)別以及作用是什么。下面是從http://en.allexperts.com/q/Unix-Linux-OS-1064/real-effective-user-id.htm上找到的一個關(guān)于這三個UID的解說，相信已經(jīng)相當(dāng)明了了，如果還不懂，就去翻看APUE。

Each UNIX proces has 3 UIDs associated to it. Superuser privilege is UID=0.

Real UID
--------

This is the UID of the user/process that created THIS process. It can be changed only if the running process has EUID=0.

Effective UID
-------------

This UID is used to evaluate privileges of the process to perform a particular action. EUID can be change either to RUID, or SUID if EUID!=0. If EUID=0, it can be changed to anything.

Saved UID
---------

If the binary image file, that was launched has a Set-UID bit on, SUID will be the UID of the owner of the file. Otherwise, SUID will be the RUID.

What is the idea behind this?

Normal programs, like "ls", "cat", "echo" will be run by a normal user, under that users UID. Special programs that allow user to have controlled access to protected data, can have Set-UID bit to allow the program to be run under privileged UID.

An example of such program is "passwd". If you list it in full, you will see that it has Set-UID bit and the owner is "root". When a normal user, say "ananta", runs "passwd", passwd starts with:

Real-UID = ananta
Effective-UID = ananta
Saved-UID = root

The the program calls a system call "seteuid( 0 )" and since SUID=0, the call will succede and the UIDs will be:

Real-UID = ananta
Effective-UID = root
Saved-UID = root

After that, "passwd" process will be able to access /etc/passwd and change password for user "ananta". Note that user "ananta" cannot write to /etc/passwd on it's own. Note one other thing, setting a Set-UID on a executable file is not enough to make it run as privileged process. The program itself must make a system call.

下面的信息來自http://www.zzee.com/solutions/linux-permissions.shtml#setuid

set user id, set group id ,sticky id

In addition to the basic permissions discussed above, there are also threebits of information defined for files in Linux:

SUID or setuid: change user ID on execution. If setuid bit is set, when the file will be executed by a user, the process will have the same rights as the owner of the file being executed.SGID or setgid: change group ID on execution. Same as above, but inherits rights of the group of the owner of the file on execution. For directories it also may mean that when a new file is created in the directory it will inherit the group of the directory (and not of the user who created the file).Sticky bit. It was used to trigger process to "stick" in memory after it is finished, now this usage is obsolete. Currently its use is system dependant and it is mostly used to suppress deletion of the files that belong to other users in the folder where you have "write" access to.

Octal digit Binary value Meaning 0 000 setuid, setgid, sticky bits are cleared 1 001 sticky bit is set 2 010 setgid bit is set 3 011 setgid and sticky bits are set 4 100 setuid bit is set 5 101 setuid and sticky bits are set 6 110 setuid and setgid bits are set 7 111 setuid, setgid, sticky bits are set SUID If set, then replaces "x" in the owner permissions to "s", if owner has execute permissions, or to "S" otherwise. Examples:
-rws------ both owner execute and SUID are set
-r-S------ SUID is set, but owner execute is not set SGID If set, then replaces "x" in the group permissions to "s", if group has execute permissions, or to "S" otherwise. Examples:
-rwxrws--- both group execute and SGID are set
-rwxr-S--- SGID is set, but group execute is not set Sticky If set, then replaces "x" in the others permissions to "t", if others have execute permissions, or to "T" otherwise. Examples:
-rwxrwxrwt both others execute and sticky bit are set
-rwxrwxr-T sticky bit is set, but others execute is not set

具有root權(quán)限的用戶賦予程序setuid特權(quán)的兩種方法：

sudo chmod 4755 myprog

sudo chmod u+s myprog2

ls -l my*

輸出：

-rwsr-xr-x 1root??other????24152? Apr 29?16:30? myprog

-rwsr-xr-x 1root??other????24152? Apr 29?16:30? myprog2

好的，下面就使用find命令來查找這個文件。

在終端下運行 find / -perm -4000 -type f -user flag00 -ls

我們會看到打印出來一個/bin/.../flag00的可執(zhí)行文件。

運行這個可執(zhí)行文件，然后再運行g(shù)etflag命令。

如果屏幕上打印出

you have successfully executed getflag on a target account

那么就說明level00已經(jīng)順利過關(guān)了。

個人感覺：level00算是最基本最簡單了，但是用到的知識點卻很多，也可以從中學(xué)到不少的東西，一定要徹底弄明白這三個UID以及l(fā)inux file的權(quán)限和permission flag的關(guān)系，否則后面的level將寸步難行。