// notes/ PrivEsc — Linux
🐧

Passwords And File Permissions Weak File Permissions

<figure<img src="/files/Hmj9bDr6OJqJ06DIcv9Y" alt=""<figcaption</figcaption</figure

#linux privilege escalation#adot8
source · oscp.adot8.com · linux-privilege-escalation/passwords-and-file-permissions_weak-file-permissions

Weak File Permissions

<figure><img src="/files/Hmj9bDr6OJqJ06DIcv9Y" alt=""><figcaption></figcaption></figure>

Check permissions of the shadow file

<figure><img src="/files/3b2AulRXEBoVCDLSm4xN" alt=""><figcaption></figcaption></figure>

Reading the file is allowed by "other" users who aren't the owner or in the owning group

{% hint style="info" %} It is possible to just change the x for the root user in the passwd file, then su using no password

Or we can change our users user and group id to 0 to become the root user {% endhint %}

{% embed url="https://infinitelogins.com/2021/02/24/linux-privilege-escalation-weak-file-permissions-writable-etc-shadow/" %}

Cracking shadow passwords

Copy contents of passwd and shadow into new files on your machine

Use unshadow to turn into a easier crackable format ad fill in the blank

code
01unshadow passwd shadow > unshadow

Find hash type

code
01hashcat --example-hashes | grep -i '\$6\$'

Crack

code
01hashcat -m 1800 unshadow ~/rockyou.txt -O