Linux Privilege Escalation via writeable /etc/passwd file

Sharing is caring!

exploit /etc/passwd for Linux Privilege Escalation via writeable passwd file

During the Red Team assessment, a Red Teamer faces many scenarios and one of the scenarios is a normal level shell or a low privilege shell. In the Windows environment, the Administrator or a member of Administrator has the high privileges and mostly the target is a high-end user. Similarly, In Linux environment root user or the user with sudo privileges are the most targeted one.

 

In this blog, we will be discussing about file misconfiguration which then leads to privilege escalation. Generally, during solving CTF, we always look at the passwd file to have an idea of the users available on the system.

 

The passwd file is present at the /etc directory of the Linux root. The most important thing to note is that this file can be accessed by an unprivileged user.

 

/etc/passwd

 

/etc/passwd file is used to keep track of every registered user that has access to a system. It is a colon-separated file that contains the following information in sequence:-

  • User Name
  • Encrypted Password
  • User ID (or UID)
  • Group ID (or GUID)
  • Full Name of the User
  • User Home Directory
  • Login Shell

 

Now, we will look at the /etc/passwd file: –

linux-passwd-file

 

 

Let’s have a detailed look at the “/etc/passwd” file, taking the root user as an example: –

  • root: Username
  • x: Placed for the User Password. The password is directly obtained from “/etc/shadow” file.
  • 0: UID of the root user.
  • 0: GID of the root user.
  • root: Placeholder for user description.
  • /root: Home Directory for the user. The user will be presented with this directory in a terminal session.
  • /bin/bash: User’s shell. Depending upon the user purpose, this shell would be spawned when the user logs on.

 

Environment Setup: –

Two Linux boxes with the following OS configurations set-ted up in VM with NAT Network mode (used to share host’s IP Address).

OS NameRoleOS VersionMachine IPKernel Version
Kali Linux (x64 bit)Attacker MachineKali192.168.245.1344.12.0-kali2-686
Ubuntu (x64 bit)Vulnerable MachineUbuntu 14.04.6 LTS192.168.245.1464.4.0-142-generic

Figure: OS Configuration

 

We are assuming that we have an initial foothold with hacknpentest user of the target system on our attacker machine (kali box). Now, we will upload linuxprivchecker.py python script to have a look at the misconfigurations at the target system.

 

We are using the wget (or web get) utility to download a file to the target server.

enumeration script to target server

Figure: Downloading enumeration script to the target server.

By default, Python is installed on all linux machine. We will use the following command to run the enumeration script.

python linuxprivchecker.py

Running the exploit

Figure: Running the script

 

Carefully looking at the script output, we found out that passwd file is world writeable that is have read, write and modify permissions to a normal user.

exploit /etc/passwd for privilege escalation

Figure: Misconfigured Permissions on Passwd file

 

Permission misconfigurations could be abused in a way that it leads to the escalation of current user privileges to root user. We will now try to write into the passwd file to make our way to root.

 

We will add a user to the passwd file explicitly giving the encrypted password in the respected fields. One can use perl language to generate an encrypted password with salt as follows:

 

 

The following command will add a user with the encrypted password and UID, GID set to root [0] to the passwd file.

 

 

Let’s discuss about the fields we are going to add to the passwd file.

 

Tom: Name of the User.

ad7t5uIalqMws: Encrypted User Password.

0: UserID of root.

0: GroupID of root.

User_like_root: User Description

/root: Home Directory for the User.

/bin/bash: User’s Shell

 

‘>>’ sign redirects output to a file appending the redirected output at the end (here /etc/passwd file).

Now, let’s make our way to root!

perl -le ‘print crypt(“Password@973″,”addedsalt”)’

Generating encrypted password

Figure: Generating encrypted password

 

The above command will generate a hash with the following password and salt:-

Original Password: Password@973

Salt: addedsalt

Encrypted Password: ad7t5uIalqMws

 

With the above encrypted password, let’s now append the following to /etc/passwd file.

 

Appending to passwd file

Figure: Appending to passwd file

 

The Tom user is successfully appended to /etc/passwd file.

cat /etc/passwd

User Added to passwd file

Figure: User Added to passwd file

 

Now using su command we will try to login with Tom user.

su-must-be run-from-terminal

 

Oops!! We don’t have a proper terminal, we will migrate to bash shell using the following python one liner (python is installed on the target server): –

python-exploit-execution

Figure: Migrating to stable shell

 

Now, we try to login with Tom user using the following command: –

 And BOOM!! we are able to login with root privileges ????.

gain-root-shell

Figure: Escalated our privileges to root!

 

We had found permission misconfiguration on the passwd file, leveraging this we have made our way to login as root user.  In the next blog post, we will be discussing about various other methods for Linux privilege escalation.

 

Till then hacknpentest!!!

 

Author: Yash Bharadwaj
Editor: Puneet Choudhary

Share

You may also like...

4 Responses

  1. Very interesting subject, thank you for putting up.

Leave a Reply

Your email address will not be published. Required fields are marked *