https://exploit-exercises.com/nebula/level06/
Call getflag with the flag06 account.
The flag06 account was created on a legacy Unix system.
On old Unix systems, the OS stored a hash of the password in /etc/passwd. Now, the OS only stores an 'x' in that file, and shadows the password hashes into another file.
In this case, displaying the contents of /etc/passwd gives:
flag06:ueqwOCnSGdsuM:993:993::/home/flag06:/bin/sh
We can use a password cracker to get a password with that hash.
This particular password cracker tells us that the password for the flag06 account is hello.
Now we can log into the flag06 account and execute getflag.