On prior Unix systems, passwords were stored in /etc/passwd file, not in clear text, but a hash of it, using MD5 algorithm. At this time, it was possible to cat the file and see all the hashes for all users. With the evolution of processor’s power, the collision attacks against this algorithm became feasible. Long before that, password shadowing has already in business. So now, passwords are stored in /etc/shadow and, ideally, not every user can read it. Level06 takes back to the time when passwords were stored in /etc/passwd.
What you’ll need to know…
- Basic Unix commands
Level06
So, the instructions on level06 tell us that the credentials of the flag06 account came from a legacy unix system. So the first place to search for credentials that comes to me is /etc/passwd.
Well, there it is the hash. But what to do with this??? If we want to login into flag06 account (throught su flag06), we need a password, not a hash. This brings me to a very useful tool, that I only had the opportunity to practice due to this challenge, John The Ripper, which is basically a powerful password cracker.
John supports multiple formats, which you can see using the command john –list=formats. To crack a password, just write it to a file and append the username at the beginning, followed by a colon. Then, feed the file to JTR.
You can find this tool in the Kali Linux, and test it until you become comfortable with it.
For this challenge, we’re going to feed this tool with a file that contains the hash of the password and let John decipher it.
As you can see (if you actually tested it) it’s very quick, but then again, is also a very dummy password. Now, we can try to login into flag06 account.
Challenges completed: 7/20
Mitigation
Nowadays, the problem is mitigated through /etc/shadow.