World readable files strike again. Check what that user was up to, and use it to log into flag08 account.Let's check out what's in flag08's home directory...
level08@nebula:~$ ls -l ~flag08 total 12 -rw-r--r-- 1 root root 8302 Nov 20 2011 capture.pcapIt's a packet capture file. Probably the best tool for examining these is wireshark.
You will probably want to have the pcap file in the host operating system. Using scp is one of the many ways to transfer it from the VM.
Opening capture.pcap in wireshark, we see a TCP connection between 184.108.40.206:39247 and 220.127.116.11:12121.
18.104.22.168:12121 being the server, TCP port 12121 doesn't bring any protocol of interest to mind. We could identify the protocol by finding unique fingerprints in the TCP stream, but the strings from capture.pcap might give away that information more easily.
level08@nebula:~$ strings ~flag08/capture.pcap @f&N. @f&N @f&N @f&N %@f&N @f&N %@f&NZ $@f&N $@f&N $@f&N) @f&N 38400,38400 SodaCan:0 DISPLAY SodaCan:0 xterm @f&N0 !@f&N !@f&NF @f&N @f&N "@f&N "@f&N0 @f&Nm- @f&N Linux 2.6.38-8-generic-pae (::ffff:10.1.1.2) (pts/10) wwwbugs login: @f&NV. Lf&N lLf&Nf lLf&N Lf&N` eLf&N eLf&N Lf&Ny vLf&N# vLf&N ;&Lf&Nu ;&eLf&N eLf&NeWe see that the client is trying to log in to some system called wwwbugs. The authentication is done in plaintext. This is usual in telnet connections. You could pull more information out of the packet capture by using 'Analyze->Decode as...' in wireshark, but you can also go ahead and examine the TCP stream directly, since the password is sent out in plaintext:
The unprintable 7f characters represent ASCII DEL, which is sent when the client presses delete. Thus we need to emulate the client to emulate what the client typed in order to get the password, which probably also belongs to flag08 itself:
backd00RmateLet's try that...
level08@nebula:~$ su flag08 Password: sh-4.2$ id uid=991(flag08) gid=991(flag08) groups=991(flag08) sh-4.2$ getflag You have successfully executed getflag on a target accountSuccess :)