Level 06 instructions
About The flag06 account credentials came from a legacy unix system. To do this level, log in as the level06 account with the password level06. Files for this level can be found in /home/flag06. Source code There is no source code available for this level
I start out by checking the /home/flag06 directory
ls -al /home/flag06
total 5 drwxr-x--- 2 flag06 level06 66 2011-11-20 20:51 . drwxr-xr-x 1 root root 200 2012-08-27 07:18 .. -rw-r--r-- 1 flag06 flag06 220 2011-05-18 02:54 .bash_logout -rw-r--r-- 1 flag06 flag06 3353 2011-05-18 02:54 .bashrc -rw-r--r-- 1 flag06 flag06 675 2011-05-18 02:54 .profile
It looks like there is nothing of interest in the home folder. The challenge says the flag06 account uses legacy unix credentials so I check the /etc/passwd file for info on flag06.
grep flag06 /etc/passwd
Sure enough this account has a password hash in the passwd file and does not use the shadow file. More info can be found on this topic here.
I’m running Kali2 as my operating system which comes pre-loaded with a number of programs to crack password hashes. John the Ripper is one of my favorites for offline cracking. To run it against this hash I just create a text file containing the hash information, then point john at that file. I use the –show option to view any passwords that are successfully cracked.
echo "flag06:ueqwOCnSGdsuM:993:993::/home/flag06:/bin/sh" >hash.txt john hash.txt --show
flag06:hello:993:993::/home/flag06:/bin/sh 1 password hash cracked, 0 left
That finished really quickly. It looks like the password is “hello” so I try logging in as flag06.
_ __ __ __ / | / /__ / /_ __ __/ /___ _ / |/ / _ \/ __ \/ / / / / __ `/ / /| / __/ /_/ / /_/ / / /_/ / /_/ |_/\___/_.___/\__,_/_/\__,_/ exploit-exercises.com/nebula For level descriptions, please see the above URL. To log in, use the username of "levelXX" and password "levelXX", where XX is the level number. Currently there are 20 levels (00 - 19). email@example.com's password:
I go ahead and try “hello” as the password.
Welcome to Ubuntu 11.10 (GNU/Linux 3.0.0-12-generic i686) * Documentation: https://help.ubuntu.com/ New release '12.04 LTS' available. Run 'do-release-upgrade' to upgrade to it. flag06@nebula:~$
Great now to just get my flag!
You have successfully executed getflag on a target account
Most times john is not going to insta-crack passwords like this. However this was an easily guessable password in an old format.