Nebula 06 is a retro challenge. The description of the problem says “The flag06 account credentials came from a legacy unix system.” This instantly made me think to check out the password file, /etc/passwd. Back in “the old days”, unix systems stored their passwords in /etc/passwd. But due to having the passwords where everyone could see them, they ended up moving towards password shadowing, where they stored the actual passwords in /etc/shadow, but kept the same user data in /etc/passwd.
In the /etc/passwd file I found a snippet for the flag06 user, with the old-fashioned password encrypted:
flag06:ueqwOCnSGdsuM:993:993::/home/flag06:/bin/sh
To crack this, I went to my trusty BackTrack virtual machine, and ran John The Ripper against it.
root@bt:/pentest/passwords/john# echo 'flag06:ueqwOCnSGdsuM:993:993::/home/flag06:/bin/sh' > /root/flag06
root@bt:/pentest/passwords/john# ./john /root/flag06
Loaded 1 password hash (Traditional DES [128/128 BS SSE2])
hello (flag06)
guesses: 1 time: 0:00:00:00 100.00% (2) (ETA: Fri Dec 2 09:51:10 2011) c/s: 7530 trying: 12345 - biteme
Thanks go john, I now know the flag06 password is “hello”. So I ssh locally, and run “getflag” to complete the challenge.
level06@nebula:/home/flag06$ ssh flag06@localhost
_ __ __ __
/ | / /__ / /_ __ __/ /___ _
/ |/ / _ \/ __ \/ / / / / __ `/
/ /| / __/ /_/ / /_/ / / /_/ /
/_/ |_/\___/_.___/\__,_/_/\__,_/
exploit-exercises.com/nebula
For level descriptions, please see the above URL.
To log in, use the username of "levelXX" and password "levelXX", where
XX is the level number.
Currently there are 20 levels (00 - 19).
flag06@localhost's password:
Welcome to Ubuntu 11.10 (GNU/Linux 3.0.0-12-generic i686)
* Documentation: https://help.ubuntu.com/
Last login: Fri Dec 2 06:51:34 2011 from localhost
flag06@nebula:~$ getflag
You have successfully executed getflag on a target account
There you have it. Level 06 complete, with a warm and fuzzy look back in history.
