โ๏ธwritable /etc/passwd
Exploiting a writable /etc/passwd
Continuing with the enumeration of users, we found that user7 is a member of the root group with gid 0. And we already know from the LinEnum scan that /etc/passwd file is writable for the user. So from this observation, we concluded that user7 can edit the /etc/passwd file. Understanding /etc/passwd The /etc/passwd file stores essential information, which is required during login. In other words, it stores user account information. The /etc/passwd is a plain text file. It contains a list of the systemโs accounts, giving for each account some useful information like user ID, group ID, home directory, shell, and more. The /etc/passwd file should have general read permission as many command utilities use it to map user IDs to user names. However, write access to the /etc/passwd must only limit for the superuser/root account. When it doesn't, or a user has erroneously been added to a write-allowed group. We have a vulnerability that can allow the creation of a root user that we can access. Understanding /etc/passwd format The /etc/passwd file contains one entry per line for each user (user account) of the system. All fields are separated by a colon : symbol. Total of seven fields as follows. Generally, /etc/passwd file entry looks as follows: testโ0:0:root:/root:/bin/bash [as divided by colon (:)]
1. Username: It is used when user logs in. It should be between 1 and 32 characters in length. 2. Password: An x character indicates that encrypted password is stored in /etc/shadow file. Please note that you need to use the passwd command to compute the hash of a password typed at the CLI or to store/update the hash of the password in /etc/shadow file, in this case, the password hash is stored as an "x".
3. User ID (UID): Each user must be assigned a user ID (UID). UID 0 (zero) is reserved for root and UIDs 1-99 are reserved for other predefined accounts. Further UID 100-999 are reserved by system for administrative and system accounts/groups. 4. Group ID (GID): The primary group ID (stored in /etc/group file) 5. User ID Info: The comment field. It allow you to add extra information about the users such as userโs full name, phone number etc. This field use by finger command. 6. Home directory: The absolute path to the directory the user will be in when they log in. If this directory does not exists then users directory becomes / 7. Command/shell: The absolute path of a command or shell (/bin/bash). Typically, this is a shell. Please note that it does not have to be a shell. How to exploit a writable /etc/passwd It's simple really, if we have a writable /etc/passwd file, we can write a new line entry according to the above formula and create a new user! We add the password hash of our choice, and set the UID, GID and shell to root. Allowing us to log in as our own root user!
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Before we add our new user, we first need to create a compliant password hash to add! We do this by using the command:
"openssl passwd -1 -salt [salt] [password]"
What is the hash created by using this command with the salt, "new" and the password "123"?
Great! Now we need to take this value, and create a new root user account. What would the /etc/passwd entry look like for a root user with the username "new" and the password hash we created before?
Great! Now you've got everything you need. Just add that entry to the end of the /etc/passwd file!
Now, use "su" to login as the "new" account, and then enter the password. If you've done everything correctly- you should be greeted by a root prompt! Congratulations!
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
The /etc/passwd file contains information about user accounts. It is world-readable, but usually only writable by the root user. Historically, the /etc/passwd file contained user password hashes, and some versions of Linux will still allow password hashes to be stored there.
Note that the /etc/passwd file is world-writable:
ls -l /etc/passwd
Generate a new password hash with a password of your choice:
openssl passwd newpasswordhere
Edit the /etc/passwd file and place the generated password hash between the first and second colon (:) of the root user's row (replacing the "x").
Switch to the root user, using the new password:
su root
Alternatively, copy the root user's row and append it to the bottom of the file, changing the first instance of the word "root" to "newroot" and placing the generated password hashร between the first and second colon (replacing the "x").
Now switch to the newroot user, using the new password:
su newroot
Last updated