Nebula level08

http://exploit-exercises.com/nebula/level08

World readable files strike again. Check what that user was up to, and use it to log into flag08 account.

To do this level, log in as the level08 account with the password level08 . Files for this level can be found in /home/flag08.

The initial hint isn’t very useful, that being said let’s jump straight into /home/flag08:

$ cd /home/flag08

$ ls

capture.pcap

Ok, pcap, so we have to deal with network dump.

I think the best is to use wireshark, It is very clear when we click the Fllow the tcp stream.I also find tcpick is also a very great tool.

Upon executing tcpdump -qns 0 -A -r capture.pcap you’ll receive quite readable output but alas I couldn’t figure this out with only tcpdump.

Here I should probably mention that I cheated in this challenge, namely I did install additional package for analysing network dumps – tcpick.

With tcpick it was really quick.

$ tcpick -yP -C -r capture.pcap
(...)
Password:
b
a
c
k
d
o
o
r
.
.
.
0
0
R
m
8
.
a
t
e

.
.
.
Login incorrect
(...)

So we see characters typed as password. If you just try to type them after su flag08 it will fail, however it’s easy to see why: “.” characters between strings are backspaces so valid password is “backd00Rmate”.   I think we must see the Hex value 7f , then we can say it is DEL, of course, if you are sentive, you could easily guess it!

$ su flag08
sh-4.2$ /bin/getflag
You have successfully executed getflag on a target account

Lastly I would be glad if anyone could enlighten me how to solve this challenge with tcpdump.