Monday, September 3, 2012

nebula level08

Level description:
World readable files strike again. Check what that user was up to, and use it to log into flag08 account.
Let's check out what's in flag08's home directory...
level08@nebula:~$ ls -l ~flag08
total 12
-rw-r--r-- 1 root root 8302 Nov 20  2011 capture.pcap
It's a packet capture file. Probably the best tool for examining these is wireshark.
You will probably want to have the pcap file in the host operating system. Using scp is one of the many ways to transfer it from the VM.

Opening capture.pcap in wireshark, we see a TCP connection between 59.233.235.218:39247 and 59.233.235.223:12121.

59.233.235.223:12121 being the server, TCP port 12121 doesn't bring any protocol of interest to mind. We could identify the protocol by finding unique fingerprints in the TCP stream, but the strings from capture.pcap might give away that information more easily.
level08@nebula:~$ strings ~flag08/capture.pcap
@f&N.
@f&N
@f&N
@f&N
%@f&N
@f&N
%@f&NZ
$@f&N
$@f&N
$@f&N)
@f&N
38400,38400
SodaCan:0
DISPLAY
SodaCan:0
xterm
@f&N0
!@f&N
!@f&NF
@f&N
@f&N
"@f&N
"@f&N0
@f&Nm-
@f&N
Linux 2.6.38-8-generic-pae (::ffff:10.1.1.2) (pts/10)
wwwbugs login: @f&NV.
Lf&N
lLf&Nf
lLf&N
Lf&N`
eLf&N
eLf&N
Lf&Ny
vLf&N#
vLf&N
;&Lf&Nu
;&eLf&N
eLf&Ne
We see that the client is trying to log in to some system called wwwbugs. The authentication is done in plaintext. This is usual in telnet connections. You could pull more information out of the packet capture by using 'Analyze->Decode as...' in wireshark, but you can also go ahead and examine the TCP stream directly, since the password is sent out in plaintext:

 The unprintable 7f characters represent ASCII DEL, which is sent when the client presses delete. Thus we need to emulate the client to emulate what the client typed in order to get the password, which probably also belongs to flag08 itself:
backd00Rmate
Let's try that...
level08@nebula:~$ su flag08
Password:
sh-4.2$ id
uid=991(flag08) gid=991(flag08) groups=991(flag08)
sh-4.2$ getflag
You have successfully executed getflag on a target account
Success :)

~ Dmitry

1 comment:

  1. Lucky Eagle Casino & Hotel - Mapyro
    Find reviews and information for 영주 출장안마 Lucky Eagle Casino & Hotel in Eagle Pass, IA. 부천 출장안마 1 Lucky Eagle 구리 출장샵 Way, 제주도 출장마사지 Eagle Pass, IA 계룡 출장샵 80601, 80601, 80601

    ReplyDelete