in a scenario where a shadowed password file has only executable permission for a user, where this user does not have root previledges how can a escalation of preveledge attack be launched in this kind of a situation??
Linux shawoded password file hack
in a scenario where a shadowed password file has only executable permission for a user, where this user does not have root previledges how can a escalation of preveledge attack be launched in this kind of a situation??
This is kind of an obvious statement, but you would have to find some user which has the correct privileges.Originally Posted by Cryptid
Thorn
Stop the TSA now! Boycott the airlines.
with a shadowed file only with executable permission how would it be possible to proceed with a escalation of previledge attack?
So, just to clarify (and I have no idea how), if the passwd file was non-readable/writable, but executable to a non-superuser, can you pull the hashes from the file?
I am also curious, but I don't know how likely this situation is.
it is totally a hypothetical situation part of some online cracking challenge.the question goes like this
one of my friend is taking part in this competition and he asked if a knew how to get around it, i have never come across this kind of a situation so i dont know what to do. I was expecting some one on this forum would know what to do.Code:A Linux server has two user accounts. One of them is the root's account and the other is Prakhar's account. Both the users log in to this system from remote machines using ssh service. Prakhar is a normal user, that is he is not a previliged user. Prakhar's aim is to somehow gain full access to the system. Prakhar logs on to the system using ssh service from a remote computer with the aim of gaining root previliges. He enters the /etc directory and types in the command ls -la His happiness knows no bounds when he sees that the passwd file has rwx permissions. He immediately opens it thinking he would fiddle with the encrypted (blowfish hash) passwords stored in that file. Unfortunately he doesn't find any password stored in that file. He then realizes that the encrypted passwords are in the shadow file which doesnt have any read write permissions but has execute permission. He gets stuck and has no clue as to how to achieve his aim. Can you give him a solution?
Isn't it linked.
What is the command to create a new user?
You state in a later thread that you have shell access to the box. So, find out what kind of kernel is running and then google around and see if there is a priv escalation hack out there that it is vulnerable to. If so, grab the exploit, put it on the box, run it and gain root! You can also look to see what applications/programs are on the box and see if any of them are vulnerable to a priv escalation attack.
You could also try to su to root, hoping that root's password is weak and guessable (but your attempts will certainly get logged).
Its been 3 months, wondering if you ever found the answer to this?
Old fictional thread
This is presumed to be fiction since the shadow file is a readable table of data not an executable script and normally readable by superuser and certain groups.
Shadow files may be copied/restored from backup or pwconv.
I do not know of a case where shadow is executable only.
Lux sit
Blackfoot has hit this on the head. The exploits leveled against the shadow file are to be able to read it, so as to bruteforce/dictionary attack the passwords. If a privilege escalation could be used by the shadow file, the same technique would work against any file that had similar permissions. Maybe there is a 1 in quadrillion chance that the password hashes actually equaled some sort of "command" but I find that to be so unlikely as only worthy of an amusing thought experiment.
(Of course, perl does look like a password hash sometimes...)
Posting Permissions
