exploit-exercises.com - nebula - level00

In the first nebula level we have to find a suid program that will run as the “flag00” account. After a quick google search we find the following command: find / -user flag00 -perm -4000 -exec ls -ldb {} \;. This command lists all suid programs under /. The output is quite long but one line stands out: -rwsr-x--- 1 flag00 level00 7358 2011-11-20 21:22 /rofs/bin/.../flag00. We can see that the owner of this executable is flag00 and it has the setuid bit set. This means the executable flag00 runs as the user who owns it. Exactly what we are searching for! The following asciicast shows how I solved the level: