arrow-left arrow-right brightness-2 chevron-left chevron-right circle-half-full dots-horizontal facebook-box facebook loader magnify menu-down rss-box star twitter-box twitter white-balance-sunny window-close
Linux Privilege Escalation - Weak File Permission
3 min read

Linux Privilege Escalation - Weak File Permission

Linux Privilege Escalation - Weak File Permission

Some files can be used to perform privilege escalation if the permissions on them are too permissive. If it's a file containing confidential information, we could read it if we have a read permission.

If we can write to a file owned by root or a group with sudo privileges, we can be able to change the way the operating system operates and gain root access in that way.

Readable /etc/shadow file

The /etc/shadow file contains user password hashes and is usually readable only by the root user. In this target machine, the file is world readable.

So in that case, we can view and read the contents of the /etc/shadow file:

Note that each line of the file represents a user that contains password hash (if they have one).

The hashed password is encrypted using SHA-512 and below are the other kind of hashes.

Hash Algorithm Descritpion
$1$ MD5
$2a$ Blowfish
$2y$ Blowfish
$3$ Eksblowfish
$4$ NT hashing
$5$ SHA-256
$6$ SHA-512

Read the blog below if you want better understanding about /etc/shadow file.

Understanding /etc/shadow file - nixCraft
Can you explain /etc/shadow file format used under Linux or UNIX-like system?

Next step is to save the root user's hash to a file called hash.txt on your local machine. Then we will be using the tool john (john the ripper) to crack the hash.

Now that the hashed password is cracked, we can easily switch to root account using the su command.


Writable /etc/shadow file

Above sample is about readable /etc/shadow file and on this one, it's about writable /etc/shadow file.

Let's generate a sha-512 password using mkpasswd.

Next step is to copy the generated password and edit the /etc/shadow file to replace the original root user's password hash with the one you just generated.

Now that the hashed password has been changed, we can easily switch to root account using the su command.


Writable /etc/passwd file

The /etc/passwd file contains information about user accounts in the machine. In this target machine, the file is world-readable, but usually only writable by the root user. Historically, the /etc/passwd file contained user password hashes, and some versions of Linux will still allow password hashes to be stored there.

Before modifying the content of /etc/passwd file, let's generate a password first using openssl.

Then edit content of the /etc/passwd file and place the generated password hash between the first and second colon (:) of the root user's row (we will be replacing the "x").

Now that the hashed password has been placed, we can easily switch to root account using the su command.