- We are given file
level02.pcap - pcap - net trafic log format for WireShark
- (On outer Linux/MacOS host) Copy pcap file to outer host and change access rules
scp -P 4242 level02@<snow_crash VM IP adress>:/home/user/level02/level02.pcap .
chmod 777 ./level02.pcap- (On outer Linux/MacOS host) Run WireShark with this file
wireshark ./level02.pcap- We see log of TCP packages. To see what text message they transported, do right click on any packages -> Follow -> TCP Stream, then this output occurs
..%..%..&..... ..#..'..$..&..... ..#..'..$.. .....#.....'........... .38400,38400....#.SodaCan:0....'..DISPLAY.SodaCan:0......xterm.........."........!........"..".....b........b.... B.
..............................1.......!.."......"......!..........."........".."............. ..
.....................
Linux 2.6.38-8-generic-pae (::ffff:10.1.1.2) (pts/10)
..wwwbugs login: l.le.ev.ve.el.lX.X
..
Password: ft_wandr...NDRel.L0L
.
..
Login incorrect
wwwbugs login:
- The most interesting part - potential password: ft_wandr...NDRel.L0L. But it didin't work.
- So we check each TCP package containing chars of password and see that
.is not a normal symbol of dot, but a7Foctal sybol. According to ASCII table it's7F is DELETE. - Rewrite password using DELETE instead of each dot: ft_waNDReL0L
- Go to flag02 user and get flag:
su flag02
getflag- Flag for level03: kooda2puivaav1idi4f57q8iq