Linux Privilege escalation - part one

Today we'll be talking about Linux Privilege Escalation, the process of elevating your privileges on a linux system. Everything is done via a CTF and TryHackMe. i'll be adding to this until its complete.
1) Weak file Permissions
   1.1) Readable /etc/shadow
   1.2) Writable /etc/shadow
   1.3) Writable /etc/passwd

Service Exploits

Not a huge amount here. Quick scan of the system should allow attackers to find openings of a Service Exploit
ExploitDB usually has a nice array of exploits which can be used.

Weak File Permissions - readable /etc/shadow

The shadow file contains user passwords hashes and is usually readable only by root. However, if it can read by an attacker, there is possibility for an escalation. Below shows a world readable /etc/shadow file.

Reading the file shows the following:

Quick rundown courtesy of /etc/shadow courtesy of  cyberciti.biz (Below if from their website):

" Basically, the /etc/shadow file stores secure user account information. All fields are separated by a colon (:) symbol. It contains one entry per line for each user listed in /etc/passwd file. Generally, shadow file entry looks as follows (click to enlarge image):
/etc/shadow file format (click to enlarge)

As with the /etc/passwd, each field in the shadow file is also separated with “:” colon characters as follows:

1. Username : A valid account name, which exist on the system.
2. Password : Your encrypted password is in hash format. The password should be minimum 15-20 characters long including special characters, digits, lower case alphabetic and more. Usually password format is set to $id$salt$hashed, The $id is the algorithm used On GNU/Linux as follows:
   1. $1$ is MD5
   2. $2a$ is Blowfish
   3. $2y$ is Blowfish
   4. $5$ is SHA-256
   5. $6$ is SHA-512
3. Last password change (lastchanged) : The date of the last password change, expressed as the number of days since Jan 1, 1970 (Unix time). The value 0 has a special meaning, which is that the user should change her password the next time she will log in the system. An empty field means that password aging features are disabled.
4. Minimum : The minimum number of days required between password changes i.e. the number of days left before the user is allowed to change her password again. An empty field and value 0 mean that there are no minimum password age.
5. Maximum : The maximum number of days the password is valid, after that user is forced to change her password again.
6. Warn : The number of days before password is to expire that user is warned that his/her password must be changed
7. Inactive : The number of days after password expires that account is disabled.
8. Expire : The date of expiration of the account, expressed as the number of days since Jan 1, 1970.

"

Onto cracking the hash via hashcat:

Finally the hash is cracked :)

Log into root

weak file permissions - writable etc/shadow

Idea behind this one is simple. If the etc/shadow file is writable, perhaps we can write ourselves into the file? Below shows the file is world writable:

Create a new password via:

place the new hash into the etc/shadow file,

weak file permissions - writable etc/passwd

Much like the one above, if the etc/passwd file is writable, you can place your own user in or edit a current one. Again the file in question is world writable:

Create new password hash for passwd file.

Save the file and switch to he root user