// notes/ PrivEsc — Linux
🐧
Passwords And File Permissions Weak File Permissions
<figure<img src="/files/Hmj9bDr6OJqJ06DIcv9Y" alt=""<figcaption</figcaption</figure
#linux privilege escalation#adot8
source · oscp.adot8.com · linux-privilege-escalation/passwords-and-file-permissions_weak-file-permissions ↗Weak File Permissions
<figure><img src="/files/Hmj9bDr6OJqJ06DIcv9Y" alt=""><figcaption></figcaption></figure>Check permissions of the shadow file
<figure><img src="/files/3b2AulRXEBoVCDLSm4xN" alt=""><figcaption></figcaption></figure>Reading the file is allowed by "other" users who aren't the owner or in the owning group
{% hint style="info" %} It is possible to just change the x for the root user in the passwd file, then su using no password
Or we can change our users user and group id to 0 to become the root user {% endhint %}
{% embed url="https://infinitelogins.com/2021/02/24/linux-privilege-escalation-weak-file-permissions-writable-etc-shadow/" %}
Cracking shadow passwords
Copy contents of passwd and shadow into new files on your machine
Use unshadow to turn into a easier crackable format ad fill in the blank
code
01unshadow passwd shadow > unshadowFind hash type
code
01hashcat --example-hashes | grep -i '\$6\$'Crack
code
01hashcat -m 1800 unshadow ~/rockyou.txt -O