rparodi/snow-crash
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
snow-crash/snowcrash/level01/README.md

87 lines
3.1 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Level 01
## how to login
username: level01
password: x24ti5gi3x0ol2eh4esiuxias
## Goal
run `getflag` as user `flag01`
## Actually doing something
Again lets check around
```bash
level01@SnowCrash:~$ ls -la
total 12
dr-x------ 1 level01 level01 100 Mar 5 2016 .
d--x--x--x 1 root users 340 Aug 30 2015 ..
-r-x------ 1 level01 level01 220 Apr 3 2012 .bash_logout
-r-x------ 1 level01 level01 3518 Aug 30 2015 .bashrc
-r-x------ 1 level01 level01 675 Apr 3 2012 .profile
```
nothing to see again, the file present are the default files on Ubuntu 12.04
lets try to find anything to do
```bash
level01@SnowCrash:~$ find / -user flag01 -print 2>/dev/null
level01@SnowCrash:~$
```
Right... nothing to see here
So after looking around, the file `/etc/passwd` looks juicy: it has an password hash for the user flag02
```bash
level01@ShowCrash:~$ cat /etc/passwd
[...snip...]
level13:x:2013:2013::/home/user/level13:/bin/bash
level14:x:2014:2014::/home/user/level14:/bin/bash
flag00:x:3000:3000::/home/flag/flag00:/bin/bash
flag01:42hDRfypTqqnw:3001:3001::/home/flag/flag01:/bin/bash
flag02:x:3002:3002::/home/flag/flag02:/bin/bash
flag03:x:3003:3003::/home/flag/flag03:/bin/bash
flag04:x:3004:3004::/home/flag/flag04:/bin/bash
flag05:x:3005:3005::/home/flag/flag05:/bin/bash
[...snip...]
```
When looking at this, you might think that all the other users also have their password hash in here
(and that they share the same password because the hash is `x`)
but actually `x` means that the actual hash is located in the shadow file (`/etc/shadow`)
The shadow file is not readable, so we can't get those hashes. Only the user `flag01` has his password hash
readable by other users
it seems that the first level was an hint to use john the ripper, a program made to crack hashes
after installing it on my host computer (thanks nix), running it is very simple
```bash
echo "42hDRfypTqqnw" >hashfile
john hashfile
Warning: detected hash type "descrypt", but the string is also recognized as "descrypt-opencl"
Use the "--format=descrypt-opencl" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (descrypt, traditional crypt(3) [DES 128/128 SSE2])
Will run 12 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, 'h' for help, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/nix/store/yq1921vpkb03aj2hxrwbczb72p2kk5wm-john-rolling-2404/share/john/password.lst
Enabling duplicate candidate password suppressor
abcdefg (?)
1g 0:00:00:00 DONE 2/3 (2026-01-19 14:38) 3.704g/s 273066p/s 273066c/s 273066C/s 123456..gravitat
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
```
so it has found an string that give the same hash. Just to be pedantic,
this can be a different string from what the user typed when setting their password, but it provide the same hash so it works
lets try it
```bash
level01@SnowCrash:~$ su flag01 -c getflag
Password:
Check flag.Here is your token : f2av5il02puano7naaf6adaaf
```
Reference in a new issue View git blame Copy permalink