Nebula - level08

This is my ninth post on the Nebula series hosted by Exploit Exercises

We start off with understanding what is being asked of us:


World readable files strike again. Check what that user was up to, and use it to log into flag08 account.
To do this level, log in as the level08 account with the password level08. Files for this level can be found in /home/flag08.

Source code

There is no source code available for this level

With no source code. I follow the instructions and ssh to the server as level08 and navigate to /home/flag08:

level08@nebula:~$ cd /home/flag08/
level08@nebula:/home/flag08$ ls -lah
total 14K
drwxr-x--- 2 flag08 level08   86 2012-08-19 03:07 .
drwxr-xr-x 1 root   root      60 2012-08-27 07:18 ..
-rw-r--r-- 1 flag08 flag08   220 2011-05-18 02:54 .bash_logout
-rw-r--r-- 1 flag08 flag08  3.3K 2011-05-18 02:54 .bashrc
-rw-r--r-- 1 root   root    8.2K 2011-11-20 21:22 capture.pcap
-rw-r--r-- 1 flag08 flag08   675 2011-05-18 02:54 .profile

Looks like we have a .pcap file. So what do I do? I download it of course! I pull the file down via netcat:

With the .pcap file saved locally. I fire up Wireshark and open the file:

With the file loaded into Wireshark, it is time to start looking around. I follow TCP Stream:

Excellent! Looks like the password is:


However, it failed. Hmm. I switch my view from ASCII to HEX to see if I am missing anything.

So I have my hexidecimal value on the 2nd column on the left and the ASCII representation on the far right column. I notice that 7f is an unfamiliar HEX to me. So, I start looking up what each HEX representation is, 62 = b, 61 = a, etc until I reached 7f:

Ah-ha. 7f is the "delete" key. My assumption is that the simulated "user" typed his password incorrectly a few times and had to delete it, hence the "delete" key being captured.

Following the hex stream as if it were a user typing, we come up with:


To test my theory, I switch to the flag08 user:

level08@nebula:/home/flag08$ su flag08
sh-4.2$ whoami
sh-4.2$ getflag
You have successfully executed getflag on a target account


Thanks for reading!