We start off with understanding what is being asked of us:
About
World readable files strike again. Check what that user was up to, and use it to log into flag08 account.To do this level, log in as the level08 account with the password level08. Files for this level can be found in /home/flag08.
Source code
There is no source code available for this levelWith no source code. I follow the instructions and ssh to the server as level08 and navigate to /home/flag08:
level08@nebula:~$ cd /home/flag08/ level08@nebula:/home/flag08$ ls -lah total 14K drwxr-x--- 2 flag08 level08 86 2012-08-19 03:07 . drwxr-xr-x 1 root root 60 2012-08-27 07:18 .. -rw-r--r-- 1 flag08 flag08 220 2011-05-18 02:54 .bash_logout -rw-r--r-- 1 flag08 flag08 3.3K 2011-05-18 02:54 .bashrc -rw-r--r-- 1 root root 8.2K 2011-11-20 21:22 capture.pcap -rw-r--r-- 1 flag08 flag08 675 2011-05-18 02:54 .profile level08@nebula:/home/flag08$
Looks like we have a .pcap file. So what do I do? I download it of course! I pull the file down via netcat:
With the .pcap file saved locally. I fire up Wireshark and open the file:
With the file loaded into Wireshark, it is time to start looking around. I follow TCP Stream:
Excellent! Looks like the password is:
backdoor...00Rm8.ate
However, it failed. Hmm. I switch my view from ASCII to HEX to see if I am missing anything.
So I have my hexidecimal value on the 2nd column on the left and the ASCII representation on the far right column. I notice that 7f is an unfamiliar HEX to me. So, I start looking up what each HEX representation is, 62 = b, 61 = a, etc until I reached 7f:
Ah-ha. 7f is the "delete" key. My assumption is that the simulated "user" typed his password incorrectly a few times and had to delete it, hence the "delete" key being captured.
Following the hex stream as if it were a user typing, we come up with:
backd00Rmate
To test my theory, I switch to the flag08 user:
level08@nebula:/home/flag08$ su flag08 Password: sh-4.2$ whoami flag08 sh-4.2$ getflag You have successfully executed getflag on a target account sh-4.2$
Success!
Thanks for reading!
-geoda