In level08, we have a packet capture file to analyze. First we get the file to our local machine.
[email protected]:~$ scp [email protected]:/home/flag08/capture.pcap cap.pcap
[email protected]:~$ file cap.pcap
cap.pcap: tcpdump capture file (little-endian) - version 2.4 (Ethernet, capture length 65535)
Opening the file with Wireshark, we see a TCP connexion between two hosts.
Using Wireshark's handy follow TCP stream feature, we see what looks like a login action (in clear text!)
The many "." after "Password:" are non-printable characters, and we switch to hex dump view to see their value.
In the ascii table, the 0x7F value represents the DEL character. This means that the sequence "b a c k d o o r DEL DEL DEL 0 0 R m 8 DEL a t e" is just "backd00Rmate". 0x0d value is the carriage return (generated by ENTER key.)
We login into the flag08 user account using the newly found password, and getflag!
[email protected]:~$ getflag
You have successfully executed getflag on a target account