Exploiting Weak File Permissions

Certain system files can be taken advantage of to perform privilege escalation if the permissions on them are too weak. If a system file has confidential information we can read, it may be used to gain access to the root account. If a system file can be written to, we may be able to modify the way the operating system works and gain root access that way.

Exploiting /etc/shadow file

Readable /etc/shadow file

Find the file

ls -l /etc/shadow

Copy the hash in hash.txt and crack using john

john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

For the string present in shadow file as shown below:
root:$6$Tb/euwmK$OXA.dwMeOAcopwBl68boTG5zi65wIHsc84OWAIye5VITLLtVlaXvRDJXET..it8r.jbrlpfZeMdwD3B0fGxJI0:17298:0:99999:7:::

The hash is:
root:$6$Tb/euwmK$OXA.dwMeOAcopwBl68boTG5zi65wIHsc84OWAIye5VITLLtVlaXvRDJXET..it8r.jbrlpfZeMdwD3B0fGxJI0

Writable /etc/shadow file

Make a new password and user

mkpasswd -m sha-512 newpasswordhere

Edit the /etc/shadow file and replace the original root user's password hash with the one you just generated.

Exploiting /etc/passwd file

Writable /etc/passwd file

The /etc/passwd file contains information about user accounts. It is world-readable, but usually only writable by the root user.

Historically, the /etc/passwd file contained user password hashes, and some versions of Linux will still allow password hashes to be stored there.

Find the file and check it's world writable

ls -l /etc/passwd

Generate a new password hash with a password of your choice

openssl passwd newpasswordhere

Add the new password

1. Add it to existing root user

Edit the /etc/passwd file and place the generated password hash between the first and second colon (:) of the root user's row (replacing the "x").

1. Add a new user

Copy the root user's row and append it to the bottom of the file, changing the first instance of the word "root" to "newroot" and placing the generated password hash between the first and second colon (replacing the "x").