OSCP
Linkedin
  • 🐉README - Preperation
  • Proof
  • Services
    • Inital Scans
    • LDAP <tcp 389, 636>
    • DNS <udp 53>
    • FTP <tcp 21>
    • SMB <tcp 445, 139>
    • SNMP <udp 161>
    • MySQL<tcp 3306>
    • MSSQL <tcp 1433>
    • SMTP <tcp 25>
    • POP3 <tcp 110>
    • IMAP <tcp 143>
    • IDENT <tcp 113>
    • WEBDAV
    • SSH <tcp 22>
    • Port Knocking
    • Web Sockets
    • Misc
      • PWNCAT
      • WordPress
      • Keepass
      • Git
      • Site Scraping
  • Web Applications
    • Checklist
    • SQL Injection
      • MySQL Cheatsheet
      • MSSQL Cheatsheet
      • Postgres Cheatsheet
      • Payloads
      • SQLMap
      • Page
    • File Upload
    • Directory Traversal
    • LFI & RFI
      • PHP Wrappers
    • SSRF
    • Command injection
    • XXS
    • APIs
    • PHP Applications
    • Source Code
    • Brute Forcing and Spraying
    • Payloads
    • Compiling Exploits
    • Foothold
    • Node.js
    • Misc
  • Active Directory
    • Checklist
    • Initial Attack Strategy
      • LLMNR Poisoning
      • SMB Relay
      • Shell Acess
      • IPv6 Attacks
      • Kerbrute
      • AS-REP Roasting
      • RPC
      • Passback Attack
      • Misc
    • Post-Compromise Enumeration
      • ldapsearch
      • Ldapdomaindump
      • Bloodhound
        • Attack Paths
      • Plumhound
    • Lateral Movement
      • DCOM
      • Pass the Hash
      • Pass the Ticket
      • Overpass the Hash
      • LOTL WMI and WinRM
    • Post-Compromise Attacks
      • Kerberoasting
      • Silver Ticket
      • noPac or noCap ?
      • RPC Password Change
      • Mimikatz
      • Knock and Pass Kerberos
      • Dumping and Cracking Hashes
      • Token Impersonation
      • LNK File Attacks
      • GPP / cPassword Attacks
      • AD CS Attacks
      • misc
    • Post-Domain Compromise
      • Dumping the NTDS.dit
      • Golden Ticket Attack
      • Shadow Copies
      • SAM Cleanup
    • Critical Active Directory CVE's
      • Zerologon
      • PrintNightmare
  • Windows Privilege Escalation
    • Checklist
    • Initial Enumeration Manual
      • System Enumeration
      • User Enumeration
      • Network Enumeration
      • Password Hunting
      • AV and Firewall Enumeration
    • Initial Enumeration Automated
      • Methodology > Tools
    • Kernel Exploits
    • DLL Hijacking
    • Service Permissions
      • Binary Paths
      • Unquoted Service Paths
    • Impersonation and Potato Attacks
    • Registy
      • AutoRuns
      • AlwaysInstallElevated
      • Regsvc ACL
    • whoami /priv
      • SeManageVolumePrivilege
      • SeBackupPrivilege
      • SeRestorePrivilege
    • Scheduled tasks
    • xampp
    • Stored Passwords and Port Forwarding
    • RunAs
    • User Switching
    • Executable Files
    • Startup Applications
    • getsystem
    • Windows Subsystem for Linux
    • CVE-2019-1388
    • CVE-2024-26229 (new)
  • Linux Privilege Escalation
    • Checklist
    • Initial Enumeration
      • System Enumeration
      • User Enumeration
      • Network Enumeration
      • Password Hunting
    • Automated tools
    • Kernel Exploits
    • Passwords & File Permissions
      • Passwords
      • Weak File Permissions
      • SSH Keys
    • Sudo
      • Shell Escaping
      • Intended Functionality
      • LD_PRELOAD
      • Simple CTF
      • CVE-2019-14287 (sudo -u#-1 /bin/bash)
      • CVE-2019-18634 (pwfeedback)
    • SUID
      • Vulnversity
    • Capabilities
    • Cron jobs
    • /etc/passwd override
    • NFS Root Squashing
    • Docker
    • Path Variables
    • Groups
      • Disk
      • LXD/LXC
      • mlocate
    • Nginx
    • Misc
      • Wild Cards
      • Abusing scripts
      • Restricted shell escaping
      • Library Hijacking
      • PHP Web Applications
      • FreeBSD
  • Post Exploitation
    • C2
    • AV Evasion
      • Bypassing AMSI
      • Bypassing UAC
      • Disabling Windows Defender
      • Executable Obfuscation
      • Compiling Code
    • Exfiltration
      • Windows - Pickle
      • Mimikatz
    • Pivoting
      • Eumeration
      • Chisel
      • SSHuttle
      • Double Pivot
      • Good to Know
        • Tunneling
        • Plink.exe
        • Port Forwarding via ~C
        • Socat
        • Metasploit
    • File Transfers
    • DNS Tunneling
    • Persistence
    • PGP/ASC
    • Putty
    • Cleanup
  • Cool!
    • Client-side Attacks
      • Code execution via Windows Library
      • Evil Icon
      • ODT Files
    • Custom Wordlists
    • Fixing Exploits
    • Decrypting Secure Strings
    • tmux
    • Random
  • Report Writing
    • Findings Report
    • Common Legal Documents
Powered by GitBook
On this page
  • Check permissions of the shadow file
  • Cracking shadow passwords
  1. Linux Privilege Escalation
  2. Passwords & File Permissions

Weak File Permissions

PreviousPasswordsNextSSH Keys

Check permissions of the shadow file

Reading the file is allowed by "other" users who aren't the owner or in the owning group

It is possible to just change the x for the root user in the passwd file, then su using no password

Or we can change our users user and group id to 0 to become the root user

Cracking shadow passwords

Copy contents of passwd and shadow into new files on your machine

Use unshadow to turn into a easier crackable format ad fill in the blank

unshadow passwd shadow > unshadow

Find hash type

hashcat --example-hashes | grep -i '\$6\$'

Crack

hashcat -m 1800 unshadow ~/rockyou.txt -O
LogoLinux Privilege Escalation: Weak File Permissions – Writable /etc/shadowInfinite Logins