The flag06 account credentials came from a legacy unix system.
Most Linux systems use a shadow password file. The normal /etc/passwd file is visible in the open (it is used to map userid -> name etc.), but it has no password hashs. These are stored in /etc/shadow, which is permissioned such that unprivileged users can’t see the hashes.
So, let’s take a look at /etc/passwd:
level06@nebula:~$ cat /etc/passwd | grep flag06
flag06:ueqwOCnSGdsuM:993:993::/home/flag06:/bin/sh
level06@nebula:~$ cat /etc/passwd | grep level06
level06:x:1007:1007::/home/level06:/bin/sh
Compare level06 (a normal account) to flag06 (legacy). ueqwOCnSGdsuM is the hash of their password.
It’s been a long time since I have done this, but the go-to password cracker was always John the Ripper, and it still appears to be that way.
This is available as a package in Ubuntu, so it could be installed with sudo apt-get install john. I don’t know the sudo password, so I can’t install this in the Nebula VM without using the admin account they give you. It’s perfectly possible to install it on your local machine, copy the passwd file across, and crack it there though.
andrew@Andrews-MacBook-Pro:~/nebula$ john passwd
Loaded 1 password hash (Traditional DES [128/128 BS SSE2-16])
hello (flag06)
guesses: 1 time: 0:00:00:00 100% (2) c/s: 75300 trying: 123456 - marley
Use the "--show" option to display all of the cracked passwords reliably
I ran it on my Mac and it got the password very quickly – it’s just hello. Login and run getflag.
Aside
I haven’t managed to find an online password cracker that deals with this type of password hash, which is surprising. It is quite old-school though.
marlon
September 13, 2018 at 5:30pmI used two commands for this
john passwd passwd –show it gave the following output
flag06:hello:993:993::/home/flag06:/bin/sh
flag06:hello:993:993::/home/flag06:/bin/sh
and then with that in hand I just did a ssh to the box
ssh -l flag06 localhost
followed by the password