Skip to content

Nebula Level08: A Newbie’s Approach

In this challenge, we will need to analyze a pcap file in order to discover the password to flag08 account. Level08 will make us use some very useful tools, like Wireshark or tcpdump. I’ll use Wireshark because I more acquainted with it, but you can use any other tool of network traffic analysis. Actually, I’ve been using tcpdump on daily basis, but I think I don’t yet have the skills to solve the level08 challenge.

What you’ll need to know…

  • Wireshark
  • Basic Unix Commands

Level08

For level08 challenge, we have a pcap file under the /home/flag08 folder. If you want to analyze the file inside the virtual machine, it’s probably better to use tcpdump, but I advise you to extract the file to some environment where you have access to Wireshark.

So, when you fire up Wireshark, you can notice two things right away. First, all the communication is done through TCP and second, the only parties involved in this connection are 59.233.235.218 and 59.233.235.223. You can start by analyzing all the data in every single TCP packet, but it’s better if you make use of Wireshark capabilities, and reconstruct the entire communication in a more friendly way. To do so, right click in one packet and select “Follow TCP Stream”.

wireshark

When you do this, a small window pops up, with the data of all packets assembled, so you can understand what is going on.

data

The red packets are the ones that the client sent and in blue those that the server sent. Notice that at the bottom of the window, you can see that the data is presented as ASCII.

Every time that Wireshark can’t print a character, it will replace that character with a dot, that’s why you see a password like “backdoor…00Rm8.ate”. To understand what the dots are, we can analyze all the data in the packets OR… we can display the data as “Hex Dump” (Work smarter, not harder…).

Hex Dump Data

In the middle column, you can see the ASCII codes that represents mostly letters. Also, all the dots (except the last one) represent the “7F” ASCII code which is the “DEL” character. The last dot is the “CR”, carriage return, which basically means the enter key was pressed. This, means that every time one dot pops up, a character of the password was deleted. This makes our password be “backd00Rmate”.

Let’s try to login in flag08 account and get the flag to level08 challenge.

Level08 solution

We did it!

Challenges completed: 9/20

Mitigation

I think that the first solution that comes to me is not using this kind of applications, I mean, whose data is transferred as clear text (aka unencrypted) through the wire.

One good example here, is the Telnet protocol which sends everything in clear text. I think is now safe to say that the majority of admins (or people in general) prefer to use SSH, which does not sent unencrypted traffic and is much more robust when compared to Telnet.

Walkthrough

Further Reading

Published inNebulaUncategorized