Linux Privilege Escalation - Weak File Permission
Some files can be used to perform privilege escalation if the permissions on them are too permissive. If it's a file containing confidential information, we could read it if we have a read permission.
If we can write to a file owned by root or a group with sudo privileges, we can be able to change the way the operating system operates and gain root access in that way.
Readable /etc/shadow file
The /etc/shadow file contains user password hashes and is usually readable only by the root user. In this target machine, the file is world readable.
So in that case, we can view and read the contents of the /etc/shadow file:
Note that each line of the file represents a user that contains password hash (if they have one).
The hashed password is encrypted using SHA-512 and below are the other kind of hashes.
Read the blog below if you want better understanding about /etc/shadow file.
Next step is to save the root user's hash to a file called hash.txt on your local machine. Then we will be using the tool john (john the ripper) to crack the hash.
Now that the hashed password is cracked, we can easily switch to root account using the su command.
Writable /etc/shadow file
Above sample is about readable /etc/shadow file and on this one, it's about writable /etc/shadow file.
Let's generate a sha-512 password using mkpasswd.
Next step is to copy the generated password and edit the /etc/shadow file to replace the original root user's password hash with the one you just generated.
Now that the hashed password has been changed, we can easily switch to root account using the su command.
Writable /etc/passwd file
The /etc/passwd file contains information about user accounts in the machine. In this target machine, the file is world-readable, but usually only writable by the root user. Historically, the /etc/passwd file contained user password hashes, and some versions of Linux will still allow password hashes to be stored there.
Before modifying the content of /etc/passwd file, let's generate a password first using openssl.
Then edit content of the /etc/passwd file and place the generated password hash between the first and second colon (:) of the root user's row (we will be replacing the "x").
Now that the hashed password has been placed, we can easily switch to root account using the su command.