5. Weak File Permissions

Readable /etc/shadow

The /etc/shadow file contains user password hashes and is usually readable only by the root user.

Writeable /etc/shadow

You can put a hash of a new password instead of root hash

use mkpasswd to generate a password which includes hashing algo, salt and hash

Writeable /etc/passwd

The /etc/passwd file contains information about user accounts.

/etc/passwd file entry looks as follows: test:x:0:0:root:/root:/bin/bash [as divided by colon (:)]

  1. Username: It is used when user logs in. It should be between 1 and 32 characters in length.

  2. Password: An x character indicates that encrypted password is stored in /etc/shadow file. Please note that you need to use the passwd command to compute the hash of a password typed at the CLI or to store/update the hash of the password in /etc/shadow file, in this case, the password hash is stored as an "x".

  3. User ID (UID): Each user must be assigned a user ID (UID). UID 0 (zero) is reserved for root and UIDs 1-99 are reserved for other predefined accounts. Further UID 100-999 are reserved by system for administrative and system accounts/groups.

  4. Group ID (GID): The primary group ID (stored in /etc/group file)

  5. User ID Info: The comment field. It allow you to add extra information about the users such as user’s full name, phone number etc. This field use by finger command.

  6. Home directory: The absolute path to the directory the user will be in when they log in. If this directory does not exists then users directory becomes /

  7. Command/shell: The absolute path of a command or shell (/bin/bash). Typically, this is a shell. Please note that it does not have to be a shell.

Historically, the /etc/passwd file contained user password hashes, and some versions of Linux will still allow password hashes to be stored there.

We can write a new line entry according to the above formula and create a new user! We add the password hash of our choice, and set the UID, GID and shell to root. Allowing us to log in as our own root user! Using the command: "openssl passwd -1 -salt [salt] [password]"

We can also change the Password SubPart of an Entry to Write our Own Password using openssl

Backup Files

Even if a machine has correct permissions on important or sensitive files, a user may have created insecure backups of these files.

It is always worth exploring the file system looking for readable backup files. Some common places include user home directories, the / (root) directory, /tmp, and /var/backups, /var/logs.

Previous4. Service ExploitsNext6. Sudo

Last updated