picoCTF “HEEEEEEERE’S Johnny!”

I’ve kinda been all over the place with CTF stuff lately, there is just so much to learn and at any given time I could go in 5 different directions. There have been a few that I’ve started on and they end up being to difficult for me right now, so I’ve made a draft version of that solution with what I’ve learned along the way. One of them is how shellcode works which has been eye opening – I knew it from a high level, but getting into the weeds is awesome. So for that one, I’ve documented what I’ve read, watched and learned in addition to the level, but I’m not ready to solve it so I’ve moved on for a little while and the concepts have solidified.

The levels on picoctf aren’t really numbered or anything, so this one is by the tag line. The problem reads like this:

Okay, so we found some important looking files on a linux computer. Maybe they can be used to get a password to the process. Connect with nc 2018shell.picoctf.com 35225. Files can be found here: passwd shadow.

When you run nc to that port, you get a login similar to ssh.

Here’s the contents of the passwd file:

root:x:0:0:root:/root:/bin/bash

And here’s the shadow file:

root:$6$HRMJoyGA$26FIgg6CU0bGUOfqFB0Qo9AE2LRZxG8N3H.3BK8t49wGlYbkFbxVFtGOZqVIq3qQ6k0oetDbn2aVzdhuVQ6US.:17770:0:99999:7:::

I can’t remember when, but if I recall correctly, at one point passwords were hashed in /etc/passwd and were in the second column (where the ‘x’) is now. With the ‘x’ there, it points to the /etc/shadow file. There is a breakdown of the /etc/passwd file structure here.

So we have a username and an encrypted password. Wut do? I guess we can run it through a cracking program. The hint said something about ‘rockyou’ and that was a dead give away. See here.

I’ve messed around with cracking before, but not a lot and the first thing I thought of was hashcat. That didn’t seem to work well. I might have got it to work, but then I remembered “John the Ripper” and looked for that.

Using john was pretty easy.

hellokitty is the password for user root

With this information we can nc to where we connected previously, enter the information and get the flag.

Bingo

Leave a Reply