rparodi/snow-crash
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

refactor(maiboyer): adding the maibaoyer directory

Browse source
This commit is contained in:
Raphael 2026-01-28 03:51:08 +01:00
parent db7f1343c5
commit ab55d4de10
No known key found for this signature in database
48 changed files with 0 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

87
maiboyer/level01/README.md Normal file
View file

@ -0,0 +1,87 @@
# Level 01
## how to login
username: level01
password: x24ti5gi3x0ol2eh4esiuxias
## Goal
run `getflag` as user `flag01`
## Actually doing something
Again lets check around
```bash
level01@SnowCrash:~$ ls -la
total 12
dr-x------ 1 level01 level01 100 Mar 5 2016 .
d--x--x--x 1 root users 340 Aug 30 2015 ..
-r-x------ 1 level01 level01 220 Apr 3 2012 .bash_logout
-r-x------ 1 level01 level01 3518 Aug 30 2015 .bashrc
-r-x------ 1 level01 level01 675 Apr 3 2012 .profile
```
nothing to see again, the file present are the default files on Ubuntu 12.04
lets try to find anything to do
```bash
level01@SnowCrash:~$ find / -user flag01 -print 2>/dev/null
level01@SnowCrash:~$
```
Right... nothing to see here
So after looking around, the file `/etc/passwd` looks juicy: it has an password hash for the user flag02
```bash
level01@ShowCrash:~$ cat /etc/passwd
[...snip...]
level13:x:2013:2013::/home/user/level13:/bin/bash
level14:x:2014:2014::/home/user/level14:/bin/bash
flag00:x:3000:3000::/home/flag/flag00:/bin/bash
flag01:42hDRfypTqqnw:3001:3001::/home/flag/flag01:/bin/bash
flag02:x:3002:3002::/home/flag/flag02:/bin/bash
flag03:x:3003:3003::/home/flag/flag03:/bin/bash
flag04:x:3004:3004::/home/flag/flag04:/bin/bash
flag05:x:3005:3005::/home/flag/flag05:/bin/bash
[...snip...]
```
When looking at this, you might think that all the other users also have their password hash in here
(and that they share the same password because the hash is `x`)
but actually `x` means that the actual hash is located in the shadow file (`/etc/shadow`)
The shadow file is not readable, so we can't get those hashes. Only the user `flag01` has his password hash
readable by other users
it seems that the first level was an hint to use john the ripper, a program made to crack hashes
after installing it on my host computer (thanks nix), running it is very simple
```bash
echo "42hDRfypTqqnw" >hashfile
john hashfile
Warning: detected hash type "descrypt", but the string is also recognized as "descrypt-opencl"
Use the "--format=descrypt-opencl" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (descrypt, traditional crypt(3) [DES 128/128 SSE2])
Will run 12 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, 'h' for help, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/nix/store/yq1921vpkb03aj2hxrwbczb72p2kk5wm-john-rolling-2404/share/john/password.lst
Enabling duplicate candidate password suppressor
abcdefg (?)
1g 0:00:00:00 DONE 2/3 (2026-01-19 14:38) 3.704g/s 273066p/s 273066c/s 273066C/s 123456..gravitat
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
```
so it has found an string that give the same hash. Just to be pedantic,
this can be a different string from what the user typed when setting their password, but it provide the same hash so it works
lets try it
```bash
level01@SnowCrash:~$ su flag01 -c getflag
Password:
Check flag.Here is your token : f2av5il02puano7naaf6adaaf
```