passwd file in unix

i can get the file up and view it but what am i looking for?

Are you doing a challenge on here or just on another computer?

another computer

Do you have access to commands on the machine from which you got the passwd file, and is the passwd file shadowed?

yes i have access to commands and what do you mean shadowed?

DeafCode wrote: yes i have access to commands and what do you mean shadowed?

Paste an example of a users data from your passwd file.

root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin news:x:9:13:news:/etc/news: uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin gopher:x:13:30:gopher:/var/gopher:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin ez-ipupd:x:100:101:Dynamic DNS Client:/var/cache/ez-ipupdate:/sbin/nologin mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash ntp:x:38:38::/etc/ntp:/sbin/nologin ircd:x:101:102:IRC service account:/usr/lib/ircd:/sbin/nologin distcache:x:94:94:Distcache:/:/sbin/nologin vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin "passwd" [readonly] 36L, 1693C

here is the file

So?

DeafCode wrote: root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin news:x:9:13:news:/etc/news: uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin gopher:x:13:30:gopher:/var/gopher:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin ez-ipupd:x:100:101:Dynamic DNS Client:/var/cache/ez-ipupdate:/sbin/nologin mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash ntp:x:38:38::/etc/ntp:/sbin/nologin ircd:x:101:102:IRC service account:/usr/lib/ircd:/sbin/nologin distcache:x:94:94:Distcache:/:/sbin/nologin vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin "passwd" [readonly] 36L, 1693C

here is the file

That's shadowed. Look in your /etc/shadow file and paste that one here. Btw, you can tell it's shadowed because where the password (encrypted) value should be, it's an x (right after the user).

root:$1$N/6.KTmL$8qF4i1xYjilNE/B.xNc6j0:14113:0:99999:7::: bin::14048:0:99999:7::: daemon::14048:0:99999:7::: adm::14048:0:99999:7::: lp::14048:0:99999:7::: sync::14048:0:99999:7::: shutdown::14048:0:99999:7::: halt::14048:0:99999:7::: mail::14048:0:99999:7::: news::14048:0:99999:7::: uucp::14048:0:99999:7::: operator::14048:0:99999:7::: games::14048:0:99999:7::: gopher::14048:0:99999:7::: ftp::14048:0:99999:7::: nobody:*:14048:0:99999:7::: dbus:!!:14048:0:99999:7::: ez-ipupd:!!:14048:0:99999:7::: mysql:!!:14048:0:99999:7::: ntp:!!:14048:0:99999:7::: ircd:!!:14048:0:99999:7::: distcache:!!:14048:0:99999:7::: vcsa:!!:14048:0:99999:7::: "shadow" [readonly] 36L, 1067C

DeafCode wrote: root:$1$N/6.KTmL$8qF4i1xYjilNE/B.xNc6j0:14113:0:99999:7::: bin::14048:0:99999:7::: daemon::14048:0:99999:7::: adm::14048:0:99999:7::: lp::14048:0:99999:7::: sync::14048:0:99999:7::: shutdown::14048:0:99999:7::: halt::14048:0:99999:7::: mail::14048:0:99999:7::: news::14048:0:99999:7::: uucp::14048:0:99999:7::: operator::14048:0:99999:7::: games::14048:0:99999:7::: gopher::14048:0:99999:7::: ftp::14048:0:99999:7::: nobody:*:14048:0:99999:7::: dbus:!!:14048:0:99999:7::: ez-ipupd:!!:14048:0:99999:7::: mysql:!!:14048:0:99999:7::: ntp:!!:14048:0:99999:7::: ircd:!!:14048:0:99999:7::: distcache:!!:14048:0:99999:7::: vcsa:!!:14048:0:99999:7::: "shadow" [readonly] 36L, 1067C

So now look at root here. Each area is seperated by a colon; the only thing you need are the first 2. It's user:pass (using a freeBSD MD5 hash), the others are just dates and random shit. Take it and run it through john the ripper to crack it.

you can see in what you just posted that there is a password hash there for root. use john the ripper or another program you know to decrypt it

it's cracking it now

thanks for the help

What, did just happen here? What, just now, what happened? WHAT HAPPENED?!

Spyware, confused? Impossible…