Labs / Shadow Cracker
- Challenge
- Released 12 Nov 2025
🔓 Can you crack the shadow and reveal the secrets?
A Linux shadow file has fallen into your hands during a security assessment. Hidden within the cryptographic hashes lies a secret waiting to be uncovered. Armed with the right tools and techniques, can you break through the encryption and recover the hidden credentials? Time to put your password cracking skills to the test! 💪
Start Lab Environment
Launch your dedicated AWS machine to begin hacking
Challenge Overview
In this challenge, you'll practice Linux password cracking techniques by analyzing a shadow file obtained during a security assessment. The shadow file contains password hashes that need to be cracked to recover user credentials.
Learning Objectives
- Understanding Linux password storage mechanisms
- Analyzing shadow file format and structure
- Using password cracking tools like John the Ripper or hashcat
- Working with different hash algorithms (SHA-512, SHA-256, MD5)
- Dictionary attacks and wordlist usage
- Password security best practices
Challenge Scenario
During a penetration test, you've successfully obtained a copy of the /etc/shadow file from a Linux server. This file contains hashed passwords for various system users. Your task is to crack these hashes and recover the plaintext passwords. Once you've successfully cracked a password, you'll find the flag hidden within the credentials.
Required Tools
- John the Ripper - Popular password cracking tool
- hashcat - Advanced password recovery utility
- Wordlists - Common password dictionaries (rockyou.txt, etc.)
File Information
The provided shadow file contains multiple user accounts. Focus on accounts with actual password hashes (not * or !) to find crackable credentials.