Linux Privilege Escalation - Exploiting Weak File Permissions Part 1 (Readable /etc/shadow file)
Greetings folks. In this post, we will be learning how to exploit weak permissions in /etc/shadow.
Let’s get familiar with one of the most famous files in Linux, /etc/shadow. Okay, it isn’t famous per se, but it is interesting from a pentester perspective.
Let’s say you have some low privilege user account, you have managed to gain a foothold on the system. The shell is stable and you are excited, you just drank your last coffee and might just about shit yourself very soon. But, you have a job to do. You need to get root.
Lax Permissions
If the permissions on some system files are sufficiently lax, it may be possible to escalate privileges using them. The root account can be accessed if a system file contains sensitive data that we may read. We might be able to alter how the operating system functions and acquire root access if a system file can be written (This will be in the next post). Well, that sounds all terribly insecure. That’s because it is. If you want to learn more about Linux permissions, read this post.
Exploiting /etc/shadow file
What if the /etc/shadow was readable, by anyone? That sounds like an awfully bad idea. Simply put, that means that users of the system would be able to read the password hash of the root password. Is it common? No. Would you see it in a CTF? Probably.
So what is the default configuration of /etc/shadow?
This configuration would only allow the root account access the shadow file. Let’s change that to readable by all. I like the world to burn to.
Yeah that’s it. We made it readable by the “others”. Sounds spooky.
There is a good way to find readable files, just search /etc for all readable files.
find /etc -maxdepth 1 -readable -type f
Okay so we now have a world-readable /etc/shadow file. Just to check.
Make a copy of /etc/shadow and save it somewhere safe, that you have access to. Things can go wrong.
cp /etc/shadow somewheresafe
I hope you can see where I am going with this. World readable shadow means we can crack the root password.
Cracking the root password.
Firstly, we need to extract the contents of the root password. You can do this easily via this command.
head -n 1 /etc/shadow | cut -d ":" -f2 > rootpassword.txt
Some notes about identifying the hashing algorithm.
$1$ is MD5
$2a$ is Blowfish
$2y$ is Blowfish
$y$ is Yescrypt
$5$ is SHA-256
$6$ is SHA-512
The general structure for GNU/Linux password hashes is as follows:
username:$id$salt$hashed:mindays:maxdays:warn:inactive:expire
Using John
We can easily use John to crack the shadow password. In this example, we are cracking yescrypt, therefore the structure for the command with John is.
john --format=crypt --wordlist=/home/kali/PenetrationTests/rockyou.txt rootpassword.txt
For SHA-512 it would be
john --format=sha512crypt --wordlist=/home/kali/PenetrationTests/rockyou.txt rootpassword.txt
More on supported Hashes for John can be found on this link.
Let’s get cracking…
Okay, that’s done, I cheated a little here and placed the password “ashitpassword” near the top end of the wordlist. This was primarily because it would have taken a considerable amount of time.
Ensure you change your root password back to something safe, and amend the permissions of /etc/shadow back to the original state.
sudo chmod u=rw,g=r,o= /etc/shadow
In the next post, we will learn about exploiting writeable /etc/shadow and /etc/passwd files.