Nebula level08 Walkthrough

Nebula is a vulnerable virtual machine which has a variety of weaknesses and vulnerabilities in a Linux system.

Description of level08
“World readable files strike again. Check what that user was up to, and use it to log into flag08 account. To do this level, log in as the level08 account with the password level08. Files for this level can be found in /home/flag08.”

Inspecting the /home/flag08

level08@nebula:/home/flag08$ ls
level08@nebula:/home/flag08$ file capture.pcap
capture.pcap: tcpdump capture file (little-endian) — version 2.4 (Ethernet, capture length 65535)

Transfer the pcap file to local machine for inspection by spinning up a Simple HTTP Server.

level08@nebula:/home/flag08$ python -m SimpleHTTPServer

We will use Wireshark to inspect the traffic.

Following the TCP Stream 0 we get the password “backdoor…00Rm8.ate”. But when we try to login to flag08 we are unable to do so.

Lets view the Hex Dump of the same stream.

Something doesn't seem right.

62 61 63 6b 64 6f 6f 72 7f 7f 7f 30 30 52 6d 38 7f 61 74 65 0d

The 7f in the above hex stands for a DEL. So the user has used the delete key to correct the password while typing.

So the new password is “backd00Rmate”. Lets try logging into flag08 account with the new password.

➜  ~ ssh flag08@
      _   __     __          __
/ | / /__ / /_ __ __/ /___ _
/ |/ / _ \/ __ \/ / / / / __ `/
/ /| / __/ /_/ / /_/ / / /_/ /
/_/ |_/\___/_.___/\__,_/_/\__,_/
For level descriptions, please see the above URL.
To log in, use the username of "levelXX" and password "levelXX", where
XX is the level number.
Currently there are 20 levels (00 - 19).
flag08@'s password:
Welcome to Ubuntu 11.10 (GNU/Linux 3.0.0-12-generic i686)
* Documentation:
New release '12.04 LTS' available.
Run 'do-release-upgrade' to upgrade to it.
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
flag08@nebula:~$ getflag
You have successfully executed getflag on a target account
flag08@nebula:~$ id
uid=991(flag08) gid=991(flag08) groups=991(flag08)

Happy Hacking !!!