Easy Priviledge Escalation Writeable /etc/passwd

Hi Guys,

I would like to create simple notes regarding privilege escalation related to writeable /etc/passwd. Usually when we have write access to the /etc/passwd then the pentester would like to make things become complicated.

when you run the post exploitation enumeration with linpeas that show like below where you have basically write access to the /etc/passwd

Just follow the following steps for your escalation purpose

ash@tabby:~$ openssl passwd RioRio

Next is to add root2 username with the root privilege to the /etc/passwd with the password we generate above

echo "root2:qRfak/wsHrEpQ:0:0:root:/root:/bin/bash" >> /etc/passwd

We can see above that at the end of the /etc/passwd we have successfully added our new user root2

the next is to SU to root2 and use the password we created RioRio

yeah we get the root privilege.

The above steps is just the basic idea, There are many attack vector that allow you to make the /etc/passwd become writeable such as root cron job or any other root process that we can divert to make /etc/passwd become writeable.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s