Wednesday, August 8, 2012

nebula level06

Here we are, ready to pwn another level. As usual, we read the level details first: http://exploit-exercises.com/nebula/level06.
The flag06 account credentials came from a legacy unix system.
This probably means that the password hash is stored in the /etc/passwd file (as opposed to /etc/shadow, only readable by root). This is also where it used to be stored in the old days (before ~1988, see http://en.wikipedia.org/wiki/Shadow_password#History).
 Let's verify that. 
level06@nebula:~$ grep flag06 /etc/passwd
flag06:ueqwOCnSGdsuM:993:993::/home/flag06:/bin/sh
Turns out our assumptions were correct. Let's pass the /etc/passwd file to John The Ripper (a famous serial killer password cracker). If you don't have access to john you can also install it in the VM directly (login as nebula/nebula and run "sudo apt-get install john"). Let's run john: 
level06@nebula:~$ john /etc/passwd
Created directory: /home/level06/.john
Loaded 1 password hash (Traditional DES [128/128 BS SSE2])
hello            (flag06)
guesses: 1  time: 0:00:00:00 100% (2)  c/s: 9412  trying: 12345 - biteme
Use the "--show" option to display all of the cracked passwords reliably
Almost instantly, john pops out the password corresponding to flag06's hash ("hello")! We use our newly acquired knowledge to log in as flag06 and actually get the flag: 
level06@nebula:~$ su flag06 -c getflag
Password:
You have successfully executed getflag on a target account
That was quick. Keep this up and you'll become a digital dragon slayer in no time :)

~ Dmitry
Posted by at
Labels: , , , , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)