Tuesday, October 30, 2012

exploit-exercises Nebula: level08

In level08, we have a packet capture file to analyze. First we get the file to our local machine.

kroosec@dojo:~$ scp level08@ cap.pcap
kroosec@dojo:~$ file cap.pcap

cap.pcap: tcpdump capture file (little-endian) - version 2.4 (Ethernet, capture length 65535)
Opening the file with Wireshark, we see a TCP connexion between two hosts. 

Using Wireshark's handy follow TCP stream feature, we see what looks like a login action (in clear text!)
The many "." after "Password:" are non-printable characters, and we switch to hex dump view to see their value.
In the ascii table, the 0x7F value represents the DEL character. This means that the sequence "b a c k d o o r DEL DEL DEL 0 0 R m 8 DEL a t e" is just "backd00Rmate". 0x0d value is the carriage return (generated by ENTER key.) 
We login into the flag08 user account using the newly found password, and getflag!
flag08@nebula:~$ getflag
You have successfully executed getflag on a target account

No comments:

Post a Comment