The flag06 account credentials came from a legacy unix system.
Most Linux systems use a shadow password file. The normal /etc/passwd file is visible in the open (it is used to map userid -> name etc.), but it has no password hashs. These are stored in /etc/shadow, which is permissioned such that unprivileged users can’t see the hashes.
So, let’s take a look at /etc/passwd:
level06@nebula:~$ cat /etc/passwd | grep flag06 flag06:ueqwOCnSGdsuM:993:993::/home/flag06:/bin/sh level06@nebula:~$ cat /etc/passwd | grep level06 level06:x:1007:1007::/home/level06:/bin/sh
Compare level06 (a normal account) to flag06 (legacy). ueqwOCnSGdsuM is the hash of their password.
It’s been a long time since I have done this, but the go-to password cracker was always John the Ripper, and it still appears to be that way.
This is available as a package in Ubuntu, so it could be installed with sudo apt-get install john. I don’t know the sudo password, so I can’t install this in the Nebula VM without using the admin account they give you. It’s perfectly possible to install it on your local machine, copy the passwd file across, and crack it there though.
andrew@Andrews-MacBook-Pro:~/nebula$ john passwd Loaded 1 password hash (Traditional DES [128/128 BS SSE2-16]) hello (flag06) guesses: 1 time: 0:00:00:00 100% (2) c/s: 75300 trying: 123456 - marley Use the "--show" option to display all of the cracked passwords reliably
I ran it on my Mac and it got the password very quickly – it’s just hello. Login and run getflag.
I haven’t managed to find an online password cracker that deals with this type of password hash, which is surprising. It is quite old-school though.