OSCP Quick Hacktricks | Linux: writeable /etc/passwd
Privilege Escalating when /etc/passwd Is Writeable
NOTE: If you are not a member but still want to read this, CLICK HERE to read it for free!
The Trick
On rare occasions, you will find /etc/passwd
to be writeable on the target Linux machine. Escalating in this case is simple, if you know what you are doing. Furthermore, enumeration tools such as LinPeas will also highlight it to you, as this should be a surefire way to gain root privileges.
All you need to do is run:
pw=$(openssl passwd Password123); echo "r00t:${pw}:0:0:root:/root:/bin/bash" >> /etc/passwd
On the target machine. These two commands define a variable pw
to be the chosen password (in this example Password123
, but you can choose whatever you like) and then creates a new line in /etc/passwd
containing
r00t:Password123:0:0:root:/root:/bin/bash
Similarly, to the password, you can choose the username you want, but in this example, r00t
is used. This enables you to run:
su r00t
Now you input Password123
as the password, and you have a root shell!