| .. | ||
| flag | ||
| passwd | ||
| README.md | ||
Level 01
how to login
username: level01
password: x24ti5gi3x0ol2eh4esiuxias
Goal
run getflag as user flag01
Actually doing something
Again lets check around
level01@SnowCrash:~$ ls -la
total 12
dr-x------ 1 level01 level01 100 Mar 5 2016 .
d--x--x--x 1 root users 340 Aug 30 2015 ..
-r-x------ 1 level01 level01 220 Apr 3 2012 .bash_logout
-r-x------ 1 level01 level01 3518 Aug 30 2015 .bashrc
-r-x------ 1 level01 level01 675 Apr 3 2012 .profile
nothing to see again, the file present are the default files on Ubuntu 12.04
lets try to find anything to do
level01@SnowCrash:~$ find / -user flag01 -print 2>/dev/null
level01@SnowCrash:~$
Right... nothing to see here
So after looking around, the file /etc/passwd looks juicy: it has an password hash for the user flag02
level01@ShowCrash:~$ cat /etc/passwd
[...snip...]
level13:x:2013:2013::/home/user/level13:/bin/bash
level14:x:2014:2014::/home/user/level14:/bin/bash
flag00:x:3000:3000::/home/flag/flag00:/bin/bash
flag01:42hDRfypTqqnw:3001:3001::/home/flag/flag01:/bin/bash
flag02:x:3002:3002::/home/flag/flag02:/bin/bash
flag03:x:3003:3003::/home/flag/flag03:/bin/bash
flag04:x:3004:3004::/home/flag/flag04:/bin/bash
flag05:x:3005:3005::/home/flag/flag05:/bin/bash
[...snip...]
When looking at this, you might think that all the other users also have their password hash in here
(and that they share the same password because the hash is x)
but actually x means that the actual hash is located in the shadow file (/etc/shadow)
The shadow file is not readable, so we can't get those hashes. Only the user flag01 has his password hash
readable by other users
it seems that the first level was an hint to use john the ripper, a program made to crack hashes after installing it on my host computer (thanks nix), running it is very simple
❯ echo "42hDRfypTqqnw" >hashfile
❯ john hashfile
Warning: detected hash type "descrypt", but the string is also recognized as "descrypt-opencl"
Use the "--format=descrypt-opencl" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (descrypt, traditional crypt(3) [DES 128/128 SSE2])
Will run 12 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, 'h' for help, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/nix/store/yq1921vpkb03aj2hxrwbczb72p2kk5wm-john-rolling-2404/share/john/password.lst
Enabling duplicate candidate password suppressor
abcdefg (?)
1g 0:00:00:00 DONE 2/3 (2026-01-19 14:38) 3.704g/s 273066p/s 273066c/s 273066C/s 123456..gravitat
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
so it has found an string that give the same hash. Just to be pedantic, this can be a different string from what the user typed when setting their password, but it provide the same hash so it works
lets try it
level01@SnowCrash:~$ su flag01 -c getflag
Password:
Check flag.Here is your token : f2av5il02puano7naaf6adaaf