Nebula Level 06

Level 06 instructions

About
The flag06 account credentials came from a legacy unix system.

To do this level, log in as the level06 account with the password level06. Files for this level can be found in /home/flag06.

Source code
There is no source code available for this level


I start out by checking the /home/flag06 directory

ls -al /home/flag06
total 5
drwxr-x--- 2 flag06 level06   66 2011-11-20 20:51 .
drwxr-xr-x 1 root   root     200 2012-08-27 07:18 ..
-rw-r--r-- 1 flag06 flag06   220 2011-05-18 02:54 .bash_logout
-rw-r--r-- 1 flag06 flag06  3353 2011-05-18 02:54 .bashrc
-rw-r--r-- 1 flag06 flag06   675 2011-05-18 02:54 .profile

It looks like there is nothing of interest in the home folder. The challenge says the flag06 account uses legacy unix credentials so I check the /etc/passwd file for info on flag06.

grep flag06 /etc/passwd
flag06:ueqwOCnSGdsuM:993:993::/home/flag06:/bin/sh

Sure enough this account has a password hash in the passwd file and does not use the shadow file. More info can be found on this topic here.

I’m running Kali2 as my operating system which comes pre-loaded with a number of programs to crack password hashes. John the Ripper is one of my favorites for offline cracking. To run it against this hash I just create a text file containing the hash information, then point john at that file. I use the –show option to view any passwords that are successfully cracked.

echo "flag06:ueqwOCnSGdsuM:993:993::/home/flag06:/bin/sh" >hash.txt
john hash.txt --show
flag06:hello:993:993::/home/flag06:/bin/sh

1 password hash cracked, 0 left

That finished really quickly. It looks like the password is “hello” so I try logging in as flag06.

ssh flag06@127.0.0.1
 
      _   __     __          __     
     / | / /__  / /_  __  __/ /___ _
    /  |/ / _ \/ __ \/ / / / / __ `/
   / /|  /  __/ /_/ / /_/ / / /_/ / 
  /_/ |_/\___/_.___/\__,_/_/\__,_/  
                                    
    exploit-exercises.com/nebula


For level descriptions, please see the above URL.

To log in, use the username of "levelXX" and password "levelXX", where
XX is the level number.

Currently there are 20 levels (00 - 19).


flag06@127.0.0.1's password:

I go ahead and try “hello” as the password.

Welcome to Ubuntu 11.10 (GNU/Linux 3.0.0-12-generic i686)

 * Documentation:  https://help.ubuntu.com/
New release '12.04 LTS' available.
Run 'do-release-upgrade' to upgrade to it.

flag06@nebula:~$

Great now to just get my flag!

getflag
You have successfully executed getflag on a target account

Most times john is not going to insta-crack passwords like this. However this was an easily guessable password in an old format.

Leave a Reply

Your email address will not be published. Required fields are marked *