This level requires you to find a Set User ID program that will run as the flag00 account. You could also find this by carefully looking in top level directories in / for suspicious looking directories. Alternatively, look at the find man page.

To solve this first puzzle we’ll use the find command with a few flags:

level00@nebula:~$ find / -user flag00 -perm -4000 -ls 2>/dev/null
 44173    8 -rwsr-x---   1 flag00   level00      7358 Nov 20  2011 /bin/.../flag00
 44173    8 -rwsr-x---   1 flag00   level00      7358 Nov 20  2011 /rofs/bin/.../flag00

Since we know we’re looking for files that will run as the flag00 user, we can use the -user flag. We also know the setuid bit is set, so we’ll use the -perm flag to look for files with the setuid bit.

Okay, let’s run the file and see what happens!

level00@nebula:~$ /bin/.../flag00
Congrats, now run getflag to get your flag!
flag00@nebula:~$ getflag
You have successfully executed getflag on a target account