Linux PrivEsc: Weak File Permissions - Writable /etc/shadow

Desktop View


Introduction


Writable /etc/shadow file can also be used to Escalate Privileges in linux. As we seen in previous post (Readable /etc/shadow) We were able to read content of /etc/shadow file and with that permission we took hash and cracked it using john. In this Privilege Escalation technique we are going to replace old hash of root user with new hash in /etc/shadow file. And then we are going to login as root.

Let’s start now,


Enumeration


To identify this weakness, We need to understand file permission given to /etc/shadow file. We use below command to check permissions of /etc/shadow file.

ls -la /etc/shadow

Desktop View

As you can see in above screenshot, The user have got read and write permission on /etc/shadow file. If you don’t know Linux File Permissions then click here.


Exploitation


Now we are going to generate new hash in our system and replace the root user’s old hash with new one in target system.

Desktop View

Lets edit the /etc/shadow file and replace old hash with new one.

Desktop View

After replacing the old hash with new one, Let’s login with root user.

Desktop View

Here we got root of this system.

Thanks for reading this writeup and all suggestions are welcome.