Exploit Exercises – Nebula – Level 08

I must admit I needed a bit of help with his one, I had most of it but not quite all. It started with the following information:

World readable files strike again. Check what that user was up to, and use it to log into flag08 account.
To do this level, log in as the level08 account with the password level08 . Files for this level can be found in /home/flag08.

So in ~flag08 there is one file of interest; capture.pcap. This is some captured network traffic. I copied this file onto my Macbook and opened it up in wireshark and spent some time looking through it. I found some interesting information like frame 43 contained a password prompt (the text “Password:”) from the server, followed by an ack from the client, then all subsequent packet exchanges contained 1 byte of TCP payload data from the client followed by an empty TCP ack packet from the server. Going through the packets, I could see that the user had sent: “backdoor…00Rm8.ate.” and then the server had replied “Login incorrect”. If we right click on a packet in the stream and select Follow TCP stream, we can see this a bit clearer.

But “backdoor…00Rm8.ate.” is not the password for flag08’s account, we need more investigation. While in the Follow TCP stream view, I selected hex dump view, and I can see that all the dots are not the same byte. Presumably they are all ascii, so I checked the ascii codes; 7f=backspace, 0d=Carriage-return.

So the password was “backd00Rmate”, this just so happens to be the password for flag08’s account.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.