![]() ![]() Postgres:x:108:117:PostgreSQL administrator,:/var/lib/postgresql:/bin/bash Gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh List:x:38:38:Mailing List Manager:/var/list:/bin/sh The first thing we need to do is copy the contents of /etc/passwd and /etc/shadow into their own text files on our local machine let's call them passwd.txt and shadow.txt, respectfully. Since we have achieved root-level access with our kernel exploit, we can use these files to uncover passwords of other users in the hopes of pivoting to other systems and furthering exploitation. The shadow file also contains other information such as password expiration dates. While the /etc/passwd file is typically world-readable, the /etc/shadow is only readable by the root account. The /etc/shadow file contains the encrypted passwords of users on the system. The sixth field is the user's home directory, and finally, the seventh field is the default shell, usually set to /bin/bash. The fifth field is typically the full name of the user, although this can also be left blank. The third field is the user ID, a unique number assigned to the user, followed by the group ID in the fourth field. If this field is blank, the user does not need to supply a password to log in. The second field traditionally contained an encrypted password, but nowadays (unless you get extremely lucky) it merely contains the letter "x," to denote that a password has been assigned. ![]() The first field is the user's login name. A typical line looks something like this: msfadmin:x:1000:1000:msfadmin,:/home/msfadmin:/bin/bash There are seven fields in each line of /etc/passwd. The /etc/passwd file contains basic information about each user account on the system, including the root user which has full administrative rights, system service accounts, and actual users. Previously: Perform Local Privilege Escalation Using a Linux Kernel ExploitĪ couple files of particular interest on Linux systems are the /etc/passwd and /etc/shadow files.There are two tried-and-true password cracking tools that can accomplish this: John the Ripper and Hashcat. If the user passwords on the system can be obtained and cracked, an attacker can use them to pivot to other machines if the login is the same across systems. After gaining access to a root account, the next order of business is using that power to do something more significant.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |