Table of contents
World readable files strike again. Check what that user was up to, and use it to log into flag08 account. To do this level, log in as the
level08
account with the passwordlevel08
. Files for this level can be found in/home/flag08
.
Source code
There is no source code available for this level.
Getting the flag
The .pcap
file is in the flag08
folder, let’s download it to the main machine and analyze it with Wireshark
. One of the ways could be spawning a SimpleHTTPServer
on the machine:
level08@nebula:/home/flag08$ python -m SimpleHTTPServer 8080
Serving HTTP on 0.0.0.0 port 8080 ...
192.168.232.128 - - [17/Jun/2021 01:11:10] "GET / HTTP/1.1" 200 -
Open the .pcap
file with Wireshark
and follow the TCP stream
:
..%..%..&..... ..#..'..$..&..... ..#..'..$.. .....#.....'........... .38400,38400....#.SodaCan:0....'..DISPLAY.SodaCan:0......xterm.........."........!........"..".....b........b.... B.
..............................1.......!.."......"......!..........."........".."............. ..
.....................
Linux 2.6.38-8-generic-pae (::ffff:10.1.1.2) (pts/10)
..wwwbugs login: l.le.ev.ve.el.l8.8
..
Password: backdoor...00Rm8.ate
.
..
Login incorrect
wwwbugs login:
What a mess. Let’s look at it not in the ASCII
, but HEX
:
000000B2 6c l
000000C9 00 6c .l
000000B3 65 e
000000CB 00 65 .e
000000B4 76 v
000000CD 00 76 .v
000000B5 65 e
000000CF 00 65 .e
000000B6 6c l
000000D1 00 6c .l
000000B7 38 8
000000D3 00 38 .8
000000B8 0d .
000000D5 01 .
000000D6 00 0d 0a 50 61 73 73 77 6f 72 64 3a 20 ...Passw ord:
000000B9 62 b
000000BA 61 a
000000BB 63 c
000000BC 6b k
000000BD 64 d
000000BE 6f o
000000BF 6f o
000000C0 72 r
000000C1 7f .
000000C2 7f .
000000C3 7f .
000000C4 30 0
000000C5 30 0
000000C6 52 R
000000C7 6d m
000000C8 38 8
000000C9 7f .
000000CA 61 a
000000CB 74 t
000000CC 65 e
Huh, it seems those 7f
’s are the delete
character.
In that case, the password will be the backd00Rmate
.
Let’s try to su
to the user flag08
with it:
level08@nebula:/home/flag08$ su flag08
Password:
sh-4.2$ getflag
You have successfully executed getflag on a target account