Permalink
Switch branches/tags
Nothing to show
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
28 lines (16 sloc) 749 Bytes

Nebula level06

https://exploit-exercises.com/nebula/level06/

Goal

Call getflag with the flag06 account.

Situation

The flag06 account was created on a legacy Unix system.

Exploit

On old Unix systems, the OS stored a hash of the password in /etc/passwd. Now, the OS only stores an 'x' in that file, and shadows the password hashes into another file.

In this case, displaying the contents of /etc/passwd gives:

flag06:ueqwOCnSGdsuM:993:993::/home/flag06:/bin/sh

We can use a password cracker to get a password with that hash. This particular password cracker tells us that the password for the flag06 account is hello. Now we can log into the flag06 account and execute getflag.