We start off with understanding what is being asked of us:
About
The flag06 account credentials came from a legacy unix system.To do this level, log in as the level06 account with the password level06. Files for this level can be found in /home/flag06.
Source code
There is no source code available for this levelWith our information in hand, let's SSH into the box as level06 and access the /home/flag06 directory. Knowing that the flag06 account credentials came from a legacy unix system, we cat the /etc/passwd directory and grep for said user:
level06@nebula:/home/flag06$ cat /etc/passwd | grep flag06 flag06:ueqwOCnSGdsuM:993:993::/home/flag06:/bin/sh level06@nebula:/home/flag06$
So, in legacy unix systems, they used to store the user's password directly in the /etc/passwd file. This password was usually hashed and salted. Now adays, passwords are stored in the /etc/shadow file with very strict access.
Let's pull this down and see if we can crack it. I echo the content to a local file on my machine and run John against it:
eric@geoda:~/Documents/vulnhub/nebula$ echo "flag06:ueqwOCnSGdsuM:993:993::/home/flag06:/bin/sh" > flag06 eric@geoda:~/Documents/vulnhub/nebula$ sudo john ./flag06 Using default input encoding: UTF-8 Loaded 1 password hash (descrypt, traditional crypt(3) [DES 128/128 AVX-16]) Press 'q' or Ctrl-C to abort, almost any other key for status hello (flag06) 1g 0:00:00:00 DONE 2/3 (2017-03-04 09:17) 33.33g/s 25000p/s 25000c/s 25000C/s 123456..marley Use the "--show" option to display all of the cracked passwords reliably Session completed eric@geoda:~/Documents/vulnhub/nebula$
Success! We cracked the password. I then SSH as flag06 with my password and getflag:
level06@nebula:/home/flag06$ ssh flag06@localhost The authenticity of host 'localhost (127.0.0.1)' can't be established. ECDSA key fingerprint is ea:8d:09:1d:f1:69:e6:1e:55:c7:ec:e9:76:a1:37:f0. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts. _ __ __ __ / | / /__ / /_ __ __/ /___ _ / |/ / _ \/ __ \/ / / / / __ `/ / /| / __/ /_/ / /_/ / / /_/ / /_/ |_/\___/_.___/\__,_/_/\__,_/ exploit-exercises.com/nebula For level descriptions, please see the above URL. To log in, use the username of "levelXX" and password "levelXX", where XX is the level number. Currently there are 20 levels (00 - 19). flag06@localhost's password: Welcome to Ubuntu 11.10 (GNU/Linux 3.0.0-12-generic i686) * Documentation: https://help.ubuntu.com/ New release '12.04 LTS' available. Run 'do-release-upgrade' to upgrade to it. The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. flag06@nebula:~$ getflag You have successfully executed getflag on a target account flag06@nebula:~$
This shows us how important the /etc/shadow file has become. Rather than leaving passwords inside the /etc/passwd directory (even if it were hashed and salted), allowing a user visibility to this can be costly.
Additionally, always use the strongest hash possible and be sure to use in combination with a salt!
Thanks for reading!
-geoda