Nebula Level 08

Level 08 instructions

About
World readable files strike again. Check what that user was up to, and use it to log into flag08 account.

To do this level, log in as the level08 account with the password level08. Files for this level can be found in /home/flag08.

Source code
There is no source code available for this level


First thing to do is take a look at /home/flag08

ls -al /home/flag08
total 14
drwxr-x--- 2 flag08 level08   86 2012-08-19 03:07 .
drwxr-xr-x 1 root   root      80 2012-08-27 07:18 ..
-rw-r--r-- 1 flag08 flag08   220 2011-05-18 02:54 .bash_logout
-rw-r--r-- 1 flag08 flag08  3353 2011-05-18 02:54 .bashrc
-rw-r--r-- 1 root   root    8302 2011-11-20 21:22 capture.pcap
-rw-r--r-- 1 flag08 flag08   675 2011-05-18 02:54 .profile

Capture.pcap looks like an intersting file. It is most likely a packet capture file containing recorded network traffic. I download it to my own machine to examine it.

scp level08@10.5.5.105:/home/flag08/capture.pcap ./

I open up the capture file in wireshark. It looks like one session between two computers. I right click a packet a select follow stream to get an easier to view picture of the sessions contents.

Level08_01
It looks like there is a password here so I try logging in as user flag08 with the password “backdoor…00Rm8.ate”.

su flag08
Password: backdoor...00Rm8.ate
su: Authentication failure

I guess it isn’t as straight forward as I thought.

I have to admit this one stumped me for a little while. I took a break and looked at it again later wish fresh eyes. Something about the patten peaked my interest. It looks like the password should be something like backdoormate or backd00rm8. The periods were throwing me off. I took a look at the string in wireshark in hex to confirm that I’m not missing something.

Level08_02
I went character by character through the string and confirmed them on anĀ ascii table. The problem became apparent when I hit the periods.

The ascii code for a period is 2E. So what is 7F??? It’s delete…

So flag08 started typing the password, hit delete three times, continued typing, hit delete one more time, then finished the password. If I follow this pattern the final string should be backd00Rmate (my website font makes my zeros look like a lower case o).

su flag08
Password: backd00Rmate
sh-4.2$

Bingo!

getflag
You have successfully executed getflag on a target account

Leave a Reply

Your email address will not be published. Required fields are marked *