Exploit-Education Nebula Level 08

4 minute read

Exploit Education Level 8

Challenge

World readable files strike again. Check what that user was up to, and use it to log into flag08 account.
To do this level, log in as the level08 account with the password level08. Files for this level can be found in /home/flag08.

Analysis

Lets take a look at the files

level08@nebula:/home/flag08$ ll
total 14
drwxr-x--- 2 flag08 level08   86 2012-08-19 03:07 ./
drwxr-xr-x 1 root   root      60 2012-08-27 07:18 ../
-rw-r--r-- 1 flag08 flag08   220 2011-05-18 02:54 .bash_logout
-rw-r--r-- 1 flag08 flag08  3353 2011-05-18 02:54 .bashrc
-rw-r--r-- 1 root   root    8302 2011-11-20 21:22 capture.pcap
-rw-r--r-- 1 flag08 flag08   675 2011-05-18 02:54 .profile
level08@nebula:/home/flag08$ cp capture.pcap /home/level08
level08@nebula:/home/flag08$ cd /home/level08

It looks like a pcap file with read permissions. Lets copy it to our directory. pcap files can be easily analyzed using wireshark or tcpdump. But since we don’t have either of those installed so lets try using tcpflow

level08@nebula:~$ tcpflow -s -r capture.pcap
level08@nebula:~$ ls
059.233.235.218.39247-059.233.235.223.12121  059.233.235.223.12121-059.233.235.218.39247  capture.pcap

This indicates the flow of traffic to and from two ip address. Lets analyze using hexdump

level08@nebula:~$ hd 059.233.235.223.12121-059.233.235.218.39247
00000000  ff fd 25 ff fb 26 ff fd  18 ff fd 20 ff fd 23 ff  |..%..&..... ..#.|
00000010  fd 27 ff fd 24 ff fa 20  01 ff f0 ff fa 23 01 ff  |.'..$.. .....#..|
00000020  f0 ff fa 27 01 ff f0 ff  fa 18 01 ff f0 ff fb 03  |...'............|
00000030  ff fd 01 ff fd 22 ff fd  1f ff fb 05 ff fd 21 ff  |....."........!.|
00000040  fa 22 01 03 ff f0 ff fa  21 03 ff f0 ff fb 01 ff  |."......!.......|
00000050  fd 00 ff fe 22 ff fa 22  03 03 e2 03 04 82 0f 07  |....".."........|
00000060  e2 1c 08 82 04 09 c2 1a  0a 82 7f 0b 82 15 0f 82  |................|
00000070  11 10 82 13 11 82 ff ff  12 82 ff ff ff f0 0d 0a  |................|
00000080  4c 69 6e 75 78 20 32 2e  36 2e 33 38 2d 38 2d 67  |Linux 2.6.38-8-g|
00000090  65 6e 65 72 69 63 2d 70  61 65 20 28 3a 3a 66 66  |eneric-pae (::ff|
000000a0  66 66 3a 31 30 2e 31 2e  31 2e 32 29 20 28 70 74  |ff:10.1.1.2) (pt|
000000b0  73 2f 31 30 29 0d 0a 0a  01 00 77 77 77 62 75 67  |s/10).....wwwbug|
000000c0  73 20 6c 6f 67 69 6e 3a  20 00 6c 00 65 00 76 00  |s login: .l.e.v.|
000000d0  65 00 6c 00 38 01 00 0d  0a 50 61 73 73 77 6f 72  |e.l.8....Passwor|
000000e0  64 3a 20 00 0d 0a 01 00  0d 0a 4c 6f 67 69 6e 20  |d: .......Login |
000000f0  69 6e 63 6f 72 72 65 63  74 0d 0a 77 77 77 62 75  |incorrect..wwwbu|
00000100  67 73 20 6c 6f 67 69 6e  3a 20                    |gs login: |
0000010a

The strings Login: and Password suggest that this is the tcp flow from server requesting login. Lets look at the other file

level08@nebula:~$ hd 059.233.235.218.39247-059.233.235.223.12121
00000000  ff fc 25 ff fe 26 ff fb  18 ff fb 20 ff fb 23 ff  |..%..&..... ..#.|
00000010  fb 27 ff fc 24 ff fa 20  00 33 38 34 30 30 2c 33  |.'..$.. .38400,3|
00000020  38 34 30 30 ff f0 ff fa  23 00 53 6f 64 61 43 61  |8400....#.SodaCa|
00000030  6e 3a 30 ff f0 ff fa 27  00 00 44 49 53 50 4c 41  |n:0....'..DISPLA|
00000040  59 01 53 6f 64 61 43 61  6e 3a 30 ff f0 ff fa 18  |Y.SodaCan:0.....|
00000050  00 78 74 65 72 6d ff f0  ff fd 03 ff fc 01 ff fb  |.xterm..........|
00000060  22 ff fa 22 03 01 00 00  03 62 03 04 02 0f 05 00  |"..".....b......|
00000070  00 07 62 1c 08 02 04 09  42 1a 0a 02 7f 0b 02 15  |..b.....B.......|
00000080  0f 02 11 10 02 13 11 02  ff ff 12 02 ff ff ff f0  |................|
00000090  ff fb 1f ff fa 1f 00 b1  00 31 ff f0 ff fd 05 ff  |.........1......|
000000a0  fb 21 ff fa 22 01 07 ff  f0 ff fd 01 ff fb 00 ff  |.!.."...........|
000000b0  fc 22 6c 65 76 65 6c 38  0d 62 61 63 6b 64 6f 6f  |."level8.backdoo|
000000c0  72 7f 7f 7f 30 30 52 6d  38 7f 61 74 65 0d        |r...00Rm8.ate.|
000000ce

The strings level8 seems to the username and password might be backdoor

Lets try password backdoor on account flag08

level08@nebula:~$ su -l flag08
Password:
su: Authentication failure

Nope it failed. Lets take a closer look at the password part

000000b0  fc 22 6c 65 76 65 6c 38  0d 62 61 63 6b 64 6f 6f  |."level8.backdoo|
000000c0  72 7f 7f 7f 30 30 52 6d  38 7f 61 74 65 0d        |r...00Rm8.ate.|

there seems to be few 7fs in there. 7f in hex stands for DEL so the user typed backdoor then then deleted 3 letters (three 7f) then typed 00Rm8 and then one more delete and then typed ate so the password is backd00Rmate

Lets try it

level08@nebula:~$ su -l flag08
Password:
flag08@nebula:~$ getflag
You have successfully executed getflag on a target account

And bingo!

Solved

You may also enjoy

Blind RCE and DNS Exfilteration

6 minute read

Description: I was doing a security testing against a web server running WebLogic. A potential RCE due to CVE-2019-2725 was reported and I was verifying it. I was following the PoC given here.

Hack The Box - Forest Writeup

8 minute read

Description: Forest is a easy level box that can be really helpful to practice some AD related attacks. Although rated as easy, it was a medium box for me considering that all attack vectors where pretty new to me.