Nebula exploit exercises walkthrough – level06

The flag06 account credentials came from a legacy unix system.

Most Linux systems use a shadow password file. The normal /etc/passwd file is visible in the open (it is used to map userid -> name etc.), but it has no password hashs. These are stored in /etc/shadow, which is permissioned such that unprivileged users can’t see the hashes.

So, let’s take a look at /etc/passwd:

level06@nebula:~$ cat /etc/passwd | grep flag06
flag06:ueqwOCnSGdsuM:993:993::/home/flag06:/bin/sh
level06@nebula:~$ cat /etc/passwd | grep level06
level06:x:1007:1007::/home/level06:/bin/sh

Compare level06 (a normal account) to flag06 (legacy). ueqwOCnSGdsuM is the hash of their password.

It’s been a long time since I have done this, but the go-to password cracker was always John the Ripper, and it still appears to be that way.

This is available as a package in Ubuntu, so it could be installed with sudo apt-get install john. I don’t know the sudo password, so I can’t install this in the Nebula VM without using the admin account they give you. It’s perfectly possible to install it on your local machine, copy the passwd file across, and crack it there though.

andrew@Andrews-MacBook-Pro:~/nebula$ john passwd
Loaded 1 password hash (Traditional DES [128/128 BS SSE2-16])
hello            (flag06)
guesses: 1  time: 0:00:00:00 100% (2)  c/s: 75300  trying: 123456 - marley
Use the "--show" option to display all of the cracked passwords reliably

I ran it on my Mac and it got the password very quickly – it’s just hello. Login and run getflag.

Aside

I haven’t managed to find an online password cracker that deals with this type of password hash, which is surprising. It is quite old-school though.

One thought on “Nebula exploit exercises walkthrough – level06

  1. Permalink  ⋅ Reply

    marlon

    September 13, 2018 at 5:30pm

    I used two commands for this
    john passwd passwd –show it gave the following output
    flag06:hello:993:993::/home/flag06:/bin/sh
    flag06:hello:993:993::/home/flag06:/bin/sh

    and then with that in hand I just did a ssh to the box
    ssh -l flag06 localhost
    followed by the password

Leave a Reply to marlon Cancel reply

Your email will not be published. Name and Email fields are required.

This site uses Akismet to reduce spam. Learn how your comment data is processed.