Nov 22, 2013

Mission:
Recover the password of user hertz

Given:
passwd file and corresponding shadow file

Background info:
The password of the user is saved in the shadow file as hash value. Hash values are generated by hash function which are one way functions. So it's not possible to find out the password from the hash value by reverse engineering.

Mode of Attack:
Brute Force, using the tool John the Ripper
After installing the rpm package from the above link run below commands in the terminal to
  • Combine user information in passwdfile and shadowfile and write it to testfile
  • Launch dictonary based brute force attack on testfile
  • Recover the passwords using --show
  And you will get your initial key as "iloveu1"

unshadow passwdfile shadowfile > testfile
john testfile
john --show testfile
Mission: 
An executable 'nullex80' was given and we have to find out the flag, tried to run in and it asked for username and password

First: applied the 'file' command, it gave the below o/p

file nullex80 
nullex80: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.32, BuildID[sha1]=0x7f73d19c16ca48817097c99cb8e0d2fb3ad50760, not stripped

So from the o/p we got it's not stripped so the variables and functions are in readable form that means we can apply 'strings' command on the file to get all readable strings from the file

Second: apply strings on 'nullex80'

strings nullex80 
/lib64/ld-linux-x86-64.so.2
libc.so.6
puts
putchar
printf
strlen
strcmp
__libc_start_main
__gmon_start__
GLIBC_2.2.5
UH-h
UH-h
[]A\A]A^A_
username password
%s %s
r00t
OshZ2sexLLLxXXnnn001
Kit Williams quotes
You see, my ambition was not to confound the engineering world but simply to create a beautiful piece of art.
Wrong username/password!
;*3$"

So from a look at the readable strings given as the o/p 'r00t' seem like a good candidate for password

Third: Run the executable with 'r00t' as username and 'OshZ2sexLLLxXXnnn001'as the password

./nullex80 r00t OshZ2sexLLLxXXnnn001
You see, my ambition was not to confound the engineering world but simply to create a beautiful piece of art.
Kit Williams quotes
flag{2afcad7815395d567001e09100c4e2fe}

voilĂ  got the flag !!