Shadow Cat
We only know that one used /etc/shadow file to encrypt important message for us. shadow.txt encrypted.txt
shadowファイルをJohn the ripperで復号します。まずshadow.txtファイルから対応するpasswdファイルを次のように作成します。
jr:x:17792:0:99999:7:::z:x:17930:0:99999:7:::a:x:17930:0:99999:7:::x:x:17930:0:99999:7:::q:x:17930:0:99999:7:::l:x:17930:0:99999:7:::v:x:17930:0:99999:7:::e:x:17930:0:99999:7:::f:x:17930:0:99999:7:::b:x:17930:0:99999:7:::r:x:17930:0:99999:7:::g:x:17930:0:99999:7:::n:x:17930:0:99999:7:::o:x:17930:0:99999:7:::p:x:17930:0:99999:7:::s:x:17930:0:99999:7:::c:x:17930:0:99999:7:::w:x:17930:0:99999:7:::d:x:17930:0:99999:7:::t:x:17930:0:99999:7:::h:x:17930:0:99999:7:::m:x:17930:0:99999:7:::k:x:17930:0:99999:7:::i:x:17930:0:99999:7:::y:x:17930:0:99999:7:::j:x:17930:0:99999:7:::u:x:17930:0:99999:7:::underscore:x:17930:0:99999:7:::
unshadowコマンドでJohn the ripperで扱える形式に変換します。
johnコマンドで解析します。$ unshadow passwd.txt shadow.txt > johnpasswd
次のようにパスワードが復号できます。$ john -wordlist=/usr/share/dict/words johnpasswd
暗号文字列のzを_(underscore)に置換して、上記の左側の文字(ユーザ)を右側の文字(パスワード)に置換します。$ john --show johnpasswdjr:1:17792:0:99999:7:::a:a:17930:0:99999:7:::x:b:17930:0:99999:7:::q:c:17930:0:99999:7:::l:w:17930:0:99999:7:::v:h:17930:0:99999:7:::e:i:17930:0:99999:7:::f:j:17930:0:99999:7:::b:k:17930:0:99999:7:::r:l:17930:0:99999:7:::g:m:17930:0:99999:7:::n:n:17930:0:99999:7:::o:x:17930:0:99999:7:::p:y:17930:0:99999:7:::s:d:17930:0:99999:7:::c:e:17930:0:99999:7:::w:f:17930:0:99999:7:::d:g:17930:0:99999:7:::t:o:17930:0:99999:7:::h:p:17930:0:99999:7:::m:q:17930:0:99999:7:::k:u:17930:0:99999:7:::i:v:17930:0:99999:7:::y:r:17930:0:99999:7:::j:s:17930:0:99999:7:::u:t:17930:0:99999:7:::underscore:z:17930:0:99999:7:::
hajjzvajvzqyaqbendzvajvqauzarlapjzrkybjzenzuvczjvastljpass_hash_cracking_hashcat_always_lurks_in_the_shadows
フラグは、
VolgaCTF{pass_hash_cracking_hashcat_always_lurks_in_the_shadows}