 How's it going guys? My name is John Hammond. Welcome back to some more Pico CTF 2018. This video was on the Here's Johnny challenge for 100 points Well, it says okay So we found some important looking files on a Linux computer Maybe they can be used to get a password to the process connect with netcat shell to Pico CTF 4015 40157 whatever again your hostname important number will be different than mine So connect with your thing and files can be found here password and shadow So let's go ahead and copy these I'll download them to make a directory for here's Johnny and Let's W get these files blah blah password and shadow Gotcha. All right, so let's check out what this password file is looks like it is just the root information here so the The information for the root user. That's just fine So if you haven't seen this before this is what we can assume is just a segment or a piece out of the Etcetra password file on a Linux computer so if I were to check out cat Etcetra password then you have all the User account information for the things that are on a Linux computer So my root user here and that that has all those information just just like this the other information that is stored For kind of the login or user account information on a Linux computer is stored in Etcetra shadow And it's interesting because that's visible from or noted any way referred to you by this x here Because you have the username in the first column I'll call them separated by cold ones here and the password is following in the next the next column But obviously the password for this user or the root user isn't just x So the x means that the password is shadowed and visible in Etcetra shadow So interestingly enough Etcetra password is world readable That means that Etcetra password if I check out the permissions on it everyone is able to read it like Root only has read and write everyone in the group has read And everyone in the world or all user accounts anyone has read access to it But Etcetra shadow is not that way only root and the shadow group can read it Everyone does not have permission to read it. So I would need to be root to be able to take a look at that I think I can safely head this I'm gonna pause the video to make sure yeah this is fine to show because in the my Ubuntu system the root user does not have a password and these other accounts are not Things that can be logged into so in my case the exclamation point means that root does not have a password in this case But if we were to check out the shadow file provided to us, which we were able to read you can see that they supply here seemingly a hash or some encrypted data that represents the password so we can Crack this password or crack this information with a brute force methodology And that's actually what the hints referred to in this challenge if you check them out here It says if at first you don't succeed try try again and again and again So it's referring to a brute force attack to test and crack this password or really just guess it essentially So the tool to do that is again referred to in the title here John the Ripper and I've showcased this a little bit before You can check out John the Ripper. They have a website here We could pd a page that explains a little bit more about it I'm gonna end up going for the like repository for the community edition John the Ripper Jumbo Jumbo John I think it is and That has the github repo that I'm gonna go ahead and clone and it takes a little bit to compile it, but this is What's necessary in my in my opinion because you have more tools and more toolkits Like other scripts that will allow you to work with other different kinds of information like a JWT a Java web token or some radius Information so everything that will be converted to a format that John the Ripper or simply John can go ahead and read and Crack and process so I'm gonna I'm gonna go ahead and get clone this if you don't have get installed in your system That's totally fine. Just pseudo apps install git or whatever your package manager is. I'll get clone this Great Take some time. Let's check out what it says or how to install how to install see the install file great. All right Install file. Is that even readable? It's Where is that file? It's in source. I would think so It's still downloading the stuff is my internet crappy. What the heck install. Oh No, I would probably be in the doc the documentation Install install we want to if that stuff is necessary. I'll just do that So moving to source get some dependencies get more dependencies. It's if you have a GPU So I mean a little bit so you can see the spotter clone and build so really just run configure and make Okay, and then we can go ahead and run it. I'm gonna wait till this downloads So I didn't end up waiting for it to download I just went ahead and copied The file that I originally used for my for my real source files of playing Pico CTF So suspended suspended disbelief there Sorry, you can you can get clone that on your own if you'd like But once you have it downloaded move into that repository and you do want to move into source Just as the installation documentation said and you would run dot slash configure and that will take a lot of time to do some things Like a lot of time so hopefully you can have some patience for that and then the next command that wanted you to run was make and I think make install would follow that and so they say make clean and make that's just fine. I Probably I already have this actually compiled and made and everything and but I have to Proclaim disclaimer. It does take a little bit of time So note that once you have it all done You can just move into the run directory and then you should have all the files and information already completed for you Like it's all compiled and ready to use so forward slash John is the John the Ripper program If I run this, it's just John and need some information But we don't have files that are currently in the format that John the Ripper can actually read and process So let's check out whatever options are and I'm going to point us in the right direction But we have a utility called unshadow and unshadow when it's given a shadow file and a password file It'll convert into something that John can read So we can use the password file and the shadow file that's been provided to us from the Pico CTF Challenge to begin with and go ahead and create something so let's move up a directory and Work with the password file move up a directory again and work with the shadow file and this output is now the format that John can Read so let's go ahead and put that in I guess this directory. That's totally fine for us. Let's just use yeah Pico User dot text and that's totally fine We'll give one of giving that to the John file John can actually just take that as we wanted to as Pico user And it'll get started running dot slash John. Sorry And what this method is going to do is simply brute force I Didn't expect it to get it that to get it done that quickly The other methodology that you could use is a dictionary attack So the dictionary attack is when you're using a dictionary, right? Passwords or potential things that it could be and that is what the next hint is referring to when it talks about the rock you file Rock you if you check it out Google it a little bit rock you is a password list Rock you text or rock you password list and that file is ginormous. It's huge I don't know if I it's actually going to take three minutes from you download this thing You can find it online and I would recommend downloading it It's literally just a plain text file of all a bunch of words a bunch of English words. See if I have it. I Know I do because it's going to be in the Yeah, let's Copy it into this directory and if I were to cat out rock you text It's a bunch of words or potential passwords or stuff that it could be Used as a password. So let's go ahead and try that. Let's use John with Pico user dot text and you can say tack tack word list equals rock you dot text But it sucks because I'm running this already Tech tech show. I mean a tech tech show at the beginning there Do I have a John pot file in here? If you end up running John twice and you're actually accidentally kind of Not able to view the password that you want to see that you've already for whatever reason like uncovered You can go ahead and remove the John dot pot file It's in that directory that you're working with and that's kind of John save file So it won't it won't not do what it's supposed to do again They'll go ahead and run the process you would expect so remove the John dot pot file and you can go back to Testing and stuff that you were doing before so again John the Ripper found that the password is kiss me to the root user It may be different for yours So now that we know that we can go ahead and go back to the original challenge prompt That's explained to us like oh, this is something that we may want on the service here. So let's go ahead and Copy this netcat command to use the username as root to log in with because that's what we know What's in the shadow and password file and the password that we now know is kiss me We enter that and we get the password just like that. Let's go and make a get flag script out of this I'm going to Echo root and then I'm going to echo kiss me I'm going to pipe those into Netcat just like this and I'm going to cut this with the first field of spaces But I'm gonna reverse it first so the first field essentially becomes the last field But now I have to reverse it again So I've just cut out only the flag that I want cool interesting technique, right? But that's how we can just avoid some new line characters Just put together some echo inputs and give that to be the service that we're connecting to and Retrieve that column that we wanted from the flag. So nano get flag dot sh Paste in that quick one-liner for us mark it as executable We direct that to flag dot text copy it and Submit it for a hundred points awesome Hey, I want to give a quick shout-out to the people that support me on patreon Thank you guys so much You're the best you're the reason that I keep doing this and the reason I wake up in the morning stuff like that Hey $1 a month on patreon will give you a special shout-out just like this at the end of every video $5 and more on patreon will give you early access to all of the videos that are released on YouTube before they go live Because I like to record in bulk get a backlog of content and then gradually release it from like YouTube scheduled stuff So if you did like this video, please you like comment and subscribe Link in the description to join our discord server It is a cool community full of CTF players programmers and hackers You're gonna hang out with me other cool people other really smart people really smarter than me That's for sure and we'll tackle a lot of capture the flag competition stuff other online tasks I'd like whatever puzzles online alternate reality games just cool stuff man come hang out It'd be awesome. Sweet. Love you guys. Hope to see you on patreon. Hope to see you next video. Peace