Level 08 instructions
About World readable files strike again. Check what that user was up to, and use it to log into flag08 account. To do this level, log in as the level08 account with the password level08. Files for this level can be found in /home/flag08. Source code There is no source code available for this level
First thing to do is take a look at /home/flag08
ls -al /home/flag08
total 14 drwxr-x--- 2 flag08 level08 86 2012-08-19 03:07 . drwxr-xr-x 1 root root 80 2012-08-27 07:18 .. -rw-r--r-- 1 flag08 flag08 220 2011-05-18 02:54 .bash_logout -rw-r--r-- 1 flag08 flag08 3353 2011-05-18 02:54 .bashrc -rw-r--r-- 1 root root 8302 2011-11-20 21:22 capture.pcap -rw-r--r-- 1 flag08 flag08 675 2011-05-18 02:54 .profile
Capture.pcap looks like an intersting file. It is most likely a packet capture file containing recorded network traffic. I download it to my own machine to examine it.
scp firstname.lastname@example.org:/home/flag08/capture.pcap ./
I open up the capture file in wireshark. It looks like one session between two computers. I right click a packet a select follow stream to get an easier to view picture of the sessions contents.
It looks like there is a password here so I try logging in as user flag08 with the password “backdoor…00Rm8.ate”.
Password: backdoor...00Rm8.ate su: Authentication failure
I guess it isn’t as straight forward as I thought.
I have to admit this one stumped me for a little while. I took a break and looked at it again later wish fresh eyes. Something about the patten peaked my interest. It looks like the password should be something like backdoormate or backd00rm8. The periods were throwing me off. I took a look at the string in wireshark in hex to confirm that I’m not missing something.
I went character by character through the string and confirmed them on an ascii table. The problem became apparent when I hit the periods.
The ascii code for a period is 2E. So what is 7F??? It’s delete…
So flag08 started typing the password, hit delete three times, continued typing, hit delete one more time, then finished the password. If I follow this pattern the final string should be backd00Rmate (my website font makes my zeros look like a lower case o).
Password: backd00Rmate sh-4.2$
You have successfully executed getflag on a target account