Skip to content

Nebula Level09: A Newbie’s Approach

So far, we have dealt with bash, Perl and C programming languages. In level09 challenge, we have a small PHP piece of code to analyze and exploit.

What you’ll need to know…

  • PHP


By looking at the files under the /home/flag09 folder you can identify the SUID program and a file with PHP code, which is the same presented on the challenge’s page.


First of all, the markup function is our “point of entrance” in the code. This function takes two arguments, which means the flag09 SUID program also takes two arguments. Let’s ignore the second argument and feed something random.

Now, taking a look at the code, is possible to identify some calls to the preg_replace, whose function is to replace content in a string based on a regular expression. The first preg_replace will basically replace all the “.” by “dot” and all the “@” by “AT”. The last two preg_replace will replace the square brackets by the angle quotes.

If you feed some file to this program, flag09 will analyze and replace all “@” and “.” symbols. At the end, will print to the command line the entire file sanitized.

For example, the following image contains the output of running flag09 with some file containing “[email [email protected]]”.


In order to get a shell, we can place in the file “[email {${system(sh)}}]” instead of the last string. We use the system function because it’ll show the output immediately and not at the end.

Now we will have a shell under the flag09 user. From here, we can run the getflag command and solve the level09 challenge. Let’s see.

Solution Level09

Challenges completed: 10/20


So, as mitigation to this level09 we have the same advises I gave to level0.

It’s always good to remember that all the input provided by the user (or some program) should always be sanitized.


Further Reading

Published inNebulaUncategorized