# Level 01

## how to login

username: level01

password: x24ti5gi3x0ol2eh4esiuxias

## Goal

run `getflag` as user `flag01`

## Actually doing something

Again lets check around

```bash
level01@SnowCrash:~$ ls -la
total 12
dr-x------ 1 level01 level01  100 Mar  5  2016 .
d--x--x--x 1 root    users    340 Aug 30  2015 ..
-r-x------ 1 level01 level01  220 Apr  3  2012 .bash_logout
-r-x------ 1 level01 level01 3518 Aug 30  2015 .bashrc
-r-x------ 1 level01 level01  675 Apr  3  2012 .profile
```

nothing to see again, the file present are the default files on Ubuntu 12.04

lets try to find anything to do
```bash
level01@SnowCrash:~$ find / -user flag01 -print 2>/dev/null
level01@SnowCrash:~$
```

Right... nothing to see here

So after looking around, the file `/etc/passwd` looks juicy: it has an password hash for the user flag02
```bash
level01@ShowCrash:~$ cat /etc/passwd
[...snip...]
level13:x:2013:2013::/home/user/level13:/bin/bash
level14:x:2014:2014::/home/user/level14:/bin/bash
flag00:x:3000:3000::/home/flag/flag00:/bin/bash
flag01:42hDRfypTqqnw:3001:3001::/home/flag/flag01:/bin/bash
flag02:x:3002:3002::/home/flag/flag02:/bin/bash
flag03:x:3003:3003::/home/flag/flag03:/bin/bash
flag04:x:3004:3004::/home/flag/flag04:/bin/bash
flag05:x:3005:3005::/home/flag/flag05:/bin/bash
[...snip...]
```

When looking at this, you might think that all the other users also have their password hash in here 
(and that they share the same password because the hash is `x`) 
but actually `x` means that the actual hash is located in the shadow file (`/etc/shadow`)
The shadow file is not readable, so we can't get those hashes. Only the user `flag01` has his password hash 
readable by other users

it seems that the first level was an hint to use john the ripper, a program made to crack hashes
after installing it on my host computer (thanks nix), running it is very simple
```bash
❯ echo "42hDRfypTqqnw" >hashfile
❯ john hashfile
Warning: detected hash type "descrypt", but the string is also recognized as "descrypt-opencl"
Use the "--format=descrypt-opencl" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (descrypt, traditional crypt(3) [DES 128/128 SSE2])
Will run 12 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, 'h' for help, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/nix/store/yq1921vpkb03aj2hxrwbczb72p2kk5wm-john-rolling-2404/share/john/password.lst
Enabling duplicate candidate password suppressor
abcdefg          (?)     
1g 0:00:00:00 DONE 2/3 (2026-01-19 14:38) 3.704g/s 273066p/s 273066c/s 273066C/s 123456..gravitat
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
```

so it has found an string that give the same hash. Just to be pedantic,
this can be a different string from what the user typed when setting their password, but it provide the same hash so it works

lets try it
```bash
level01@SnowCrash:~$ su flag01 -c getflag 
Password: 
Check flag.Here is your token : f2av5il02puano7naaf6adaaf
```