picoCTF 2018 Write-up : Heeeeere's Johnny
Question: Heeeeeere's Johnny
Information given:
Okay, so we found some important looking files on a Linux computer. Maybe they can be used to get password to the process. Connect with nc 2018shell2.picoctf.com 42165. Files can be found here: passwd[1] shadow[2]passwd file content:
root:x:0:0:root:/root:/bin/bash
| cs |
shadow file content:
root:$6$q7xpw/2.$la4KiUz87ohdszbOVoIopy2VTwm/5jEXvWSdWynh0CnP5T.MnJfVNCzp3IfJMHUNuBhr1ewcYd8PyeKHqHQoe.:17770:0:99999:7:::
| cs |
Hint
- If at first, you don't succeed, try, try again. And again. And again
- If you're not careful these kinds of problems can really "rockyou"
Approach and Information required to solve this problem
With the hint given above, we can think that it is something related to brute force(?).
Rockyou is stolen or leaked password dictionary list name. You can find the rockyou file by visiting the following link.
Let's get into the idea of how we can solve this problem. We are given with passwd file and shadow file. If you are a user of Linux, you can straight think of what shadow file is.
Shadow file
In the Linux operating system, a shadow file is a system file which contains an encrypted user password. This file is not available to people who try to break into the operating system. The file is actually located in /etc/passwd.
Now, we have a basic idea of what is shadow file. Then we need to understand the structure of a shadow file. I have provided simple shadow file content as an example.
root:$6$q7xpw/2.$la4Kuaksdjfhklagljasdf.123/1.:17770:0:9999999:7:::
red coloured part is a username
blue coloured part is id, an algorithm used to encrypt
- $1$ is MD5
- $2a$ is Blowfish
- $2y$ is Blowfish
- $5$ is SHA-256
- $6$ is SHA-512
green coloured part is salt
pink coloured part is hash
other parts are not relevant to solve this problem, but if you want to know more about it then search on google
Information processed for this problem
ID = root
Algorithm = SHA-512
Salt = q7xpw/2.
Leaked Password List/Dictionary: Rockyou
Let's start programming:
Info:
- Use password provided by rockyou password dictionary
- encrypt the password using provided information on the shadow file
- compare it and find the password
Program:
#root:$6$LcvKHioa$67O1HA8Ti.KHeNbD4rE79ZMl1RbiCw4V7eM.r6AURp2wGnapUpXC.VdVB4WGoS2J5eVKP/1MFeMmXIdveJeOS0:17695:0:99999:7:::
import crypt
def get_pwd_list():
with open("rockyou.txt", "r") as f:
content = f.readlines()
content = [x.strip() for x in content]
return content
#
#
if __name__ == "__main__":
line = '#root:$6$LcvKHioa$67O1HA8Ti.KHeNbD4rE79ZMl1RbiCw4V7eM.r6AURp2wGnapUpXC.VdVB4WGoS2J5eVKP/1MFeMmXIdveJeOS0:17695:0:99999:7:::'
encript = line.split(':')[1]
print encript
i = encript.rfind('$')
salt = encript[:i]
print(salt)
passwordDict = get_pwd_list()
for password in passwordDict:
dec = crypt.crypt(password,salt)
if dec == "$6$LcvKHioa$67O1HA8Ti.KHeNbD4rE79ZMl1RbiCw4V7eM.r6AURp2wGnapUpXC.VdVB4WGoS2J5eVKP/1MFeMmXIdveJeOS0"
print password
#root:$6$LcvKHioa$67O1HA8Ti.KHeNbD4rE79ZMl1RbiCw4V7eM.r6AURp2wGnapUpXC.VdVB4WGoS2J5eVKP/1MFeMmXIdveJeOS0:17695:0:99999:7:::
import crypt
def get_pwd_list():
with open("rockyou.txt", "r") as f:
content = f.readlines()
content = [x.strip() for x in content]
return content
#
#
if __name__ == "__main__":
line = '#root:$6$LcvKHioa$67O1HA8Ti.KHeNbD4rE79ZMl1RbiCw4V7eM.r6AURp2wGnapUpXC.VdVB4WGoS2J5eVKP/1MFeMmXIdveJeOS0:17695:0:99999:7:::'
encript = line.split(':')[1]
print encript
i = encript.rfind('$')
salt = encript[:i]
print(salt)
passwordDict = get_pwd_list()
for password in passwordDict:
dec = crypt.crypt(password,salt)
if dec == "$6$LcvKHioa$67O1HA8Ti.KHeNbD4rE79ZMl1RbiCw4V7eM.r6AURp2wGnapUpXC.VdVB4WGoS2J5eVKP/1MFeMmXIdveJeOS0"
print password
| cs |
Thank you :D
Comments
Post a Comment