Exploiting File Permissions Misconfigurations

Since you know in the last post, /etc/passwd and /etc/shadow files are the main interest when it comes to password-based privilege escalation. For other application-level attacks, I will explain them later.

In this post, I will be discussing a few misconfigurations that are left in the target machine and how you can exploit them to take over the system.

So let's first start with knowing what these misconfigs actually are

  1. World readable shadow file – You can read the has of the user and perform a brute-force attack using john the ripper or hashcat
  2. World writable shadow file – You can create a password using the OpenSSL tool and edit the file using vim, vi, nano or any even sed tool (requires strict regex)
  3. World writable passwd file – Same as point 2, but changing the contents of /etc/passwd file

The labs that I will discuss are as follows

LAB: Permission Matters

When you will run the lab, a low privileged shell of details student

When you search for the flag file, you will not any details

find / -name *flag* 2> /dev/null

This means you need to escalate to the higher privileges and then search for the file again

Let's enumerate users in the /etc/passwd file since most of the time it's world-writable -rw-r--r--

The file is world-readable and you can use it to enumerate users

With the find command, you can check for the files with particular permission. You can search in the entire system but that would be slow. Since authentication configurations are stored in the /etc directory we can search for the misconfigs in this directory only

find /etc -type f -perm -0004 -exec ls -l {} \; 2> /dev/null

This command will search for the files (-type f) in the /etc directory with permission world-readable (-perm -0004) and execute ls -l on each entry (-exec ls -l {} \;).

Here is the stripped output of the above command

-rw-r--r-- 1 root root 0 Aug 21  2018 /etc/subgid
-rwxr-xr-x 1 root root 3809 Feb 14  2018 /etc/init.d/hwclock.sh
-rwxr-xr-x 1 root root 1191 Jan 17  2018 /etc/init.d/procps
-rw-rw-rw- 1 root shadow 523 Sep 23  2018 /etc/shadow
-rw-r--r-- 1 root root 2584 Feb  1  2018 /etc/gai.conf
-rw-r--r-- 1 root root 461 Sep 23  2018 /etc/group
-rwxr-xr-x 1 root root 1016 Apr  5  2018 /etc/security/namespace.init

The /etc/shadow file is not only world-readable, you can even write into it. So in this, I will create a password and assign it to the root user

Now you can log in via su utility by executing su - root with password details "password"

Go get and read the flag!

LAB: Permission Matters II

When you will open the lab, it will land you in a low-privileged shell

Based on previous lab's experience, let's enumerate for users and permission misconfigurations

On checking, I found that the /etc/passwd file is world-writable. While performing login, precedence of /etc/passwd is higher than /etc/shadow. So if you set the password of the root user in that file, su will not check the shadow file

Showing, passwords also work without setting value salt

Now use su utility to log in via root user using password "password"

Go get the flag and submit it to complete the lab

Gurkirat Singh

Gurkirat Singh

Hey there everyone, I am Gurkirat Singh (aka tbhaxor). I do full-stack development to fund my own learning and experiments. I am a cybersecurity enthusiast and like sharing my knowledge.
India