can you see passwd and shadow?
ls -la /etc/passwdls -la /etc/shadowAs a regular user, you should have read access to passwd so this is normal:
BUT
no read access to shadow
this is a no no.
Passwords in shadow file:
while /etc/passwd passwords get replaced by x, shadow does have the passwords!
root hash:
How to escalate:
- If you have write access, you can get rid of the x in passwd, and since the account doesn’t have a password anymore, you can access it. Like root:
- sudo su -
- You can change the user group for other users if you have the write access.
- You can change the ID to 0 and become root.
What can you do?
- Copy the /etc/passwd and /etc/shadow on your machine:
mousepad passwd
#and paste contents
mousepad shadow
#and paste contents- Use unshadow tool in Kali:
unshadow #for syntaxunshadow passwd shadowTake the output and save the users with hashes (we need them for hashcat (on PC)):
mousepad unshadowedFigure out the hash type:
hashcat hash typessince the hash starts with $6$, we can ctrl+f for it in the example page and we get:
hashcat -m 1800 unshadowed.txt rockyou.txt -O
Now we have a password we can switch user with:
su rootpassword123