In level08, we have a packet capture file to analyze. First we get the file to our local machine.
kroosec@dojo:~$ scp email@example.com:/home/flag08/capture.pcap cap.pcap
kroosec@dojo:~$ file cap.pcap
cap.pcap: tcpdump capture file (little-endian) - version 2.4 (Ethernet, capture length 65535)
Opening the file with Wireshark, we see a TCP connexion between two hosts.
Using Wireshark's handy follow TCP stream feature, we see what looks like a login action (in clear text!)
The many "." after "Password:" are non-printable characters, and we switch to hex dump view to see their value.
In the ascii table, the 0x7F value represents the DEL character. This means that the sequence "b a c k d o o r DEL DEL DEL 0 0 R m 8 DEL a t e" is just "backd00Rmate". 0x0d value is the carriage return (generated by ENTER key.)
We login into the flag08 user account using the newly found password, and getflag!
You have successfully executed getflag on a target account