Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: Linux shawoded password file hack

Hybrid View

  1. #1
    Junior Member
    Join Date
    May 2008
    Posts
    35

    Default Linux shawoded password file hack

    in a scenario where a shadowed password file has only executable permission for a user, where this user does not have root previledges how can a escalation of preveledge attack be launched in this kind of a situation??

  2. #2
    Senior Member Thorn's Avatar
    Join Date
    Jan 2010
    Location
    The Green Dome
    Posts
    1,509

    Default

    Quote Originally Posted by Cryptid View Post
    in a scenario where a shadowed password file has only executable permission for a user, where this user does not have root previledges how can a escalation of preveledge attack be launched in this kind of a situation??
    This is kind of an obvious statement, but you would have to find some user which has the correct privileges.
    Thorn
    Stop the TSA now! Boycott the airlines.

  3. #3
    Junior Member
    Join Date
    May 2008
    Posts
    35

    Default

    with a shadowed file only with executable permission how would it be possible to proceed with a escalation of previledge attack?

  4. #4
    Junior Member
    Join Date
    Jul 2007
    Posts
    71

    Default

    So, just to clarify (and I have no idea how), if the passwd file was non-readable/writable, but executable to a non-superuser, can you pull the hashes from the file?

    I am also curious, but I don't know how likely this situation is.

  5. #5
    Junior Member
    Join Date
    May 2008
    Posts
    35

    Default

    Quote Originally Posted by ipndrmath View Post
    So, just to clarify (and I have no idea how), if the passwd file was non-readable/writable, but executable to a non-superuser, can you pull the hashes from the file?

    I am also curious, but I don't know how likely this situation is.
    it is totally a hypothetical situation part of some online cracking challenge.the question goes like this
    Code:
    A Linux server has two user accounts. One of them is the root's account and the other is Prakhar's account.
    Both the users log in to this system from remote machines using ssh service.
    Prakhar is a normal user, that is he is not a previliged user.
    Prakhar's aim is to somehow gain full access to the system.
    Prakhar logs on to the system using ssh service from a remote computer with the aim of gaining root previliges.
    He enters the /etc directory and types in the command ls -la
    His happiness knows no bounds when he sees that the passwd file has rwx permissions. He immediately opens it thinking he would fiddle with the encrypted (blowfish hash) passwords stored in that file. Unfortunately he doesn't find any password stored in that file.
    He then realizes that the encrypted passwords are in the shadow file which doesnt have any read write permissions but has execute permission. He gets stuck and has no clue as to how to achieve his aim.
    Can you give him a solution?
    one of my friend is taking part in this competition and he asked if a knew how to get around it, i have never come across this kind of a situation so i dont know what to do. I was expecting some one on this forum would know what to do.

  6. #6
    Good friend of the forums
    Join Date
    Jun 2008
    Posts
    425

    Default

    Isn't it linked.
    What is the command to create a new user?

  7. #7

    Default

    Quote Originally Posted by Cryptid View Post
    this user does not have root previledges how can a escalation of preveledge attack be launched in this kind of a situation??
    You state in a later thread that you have shell access to the box. So, find out what kind of kernel is running and then google around and see if there is a priv escalation hack out there that it is vulnerable to. If so, grab the exploit, put it on the box, run it and gain root! You can also look to see what applications/programs are on the box and see if any of them are vulnerable to a priv escalation attack.

    You could also try to su to root, hoping that root's password is weak and guessable (but your attempts will certainly get logged).

  8. #8
    Just burned his ISO
    Join Date
    Oct 2007
    Posts
    10

    Default

    Quote Originally Posted by Cryptid View Post
    in a scenario where a shadowed password file has only executable permission for a user, where this user does not have root previledges how can a escalation of preveledge attack be launched in this kind of a situation??
    Its been 3 months, wondering if you ever found the answer to this?

  9. #9
    Member imported_blackfoot's Avatar
    Join Date
    Jun 2007
    Posts
    386

    Default Old fictional thread

    This is presumed to be fiction since the shadow file is a readable table of data not an executable script and normally readable by superuser and certain groups.

    Shadow files may be copied/restored from backup or pwconv.

    I do not know of a case where shadow is executable only.
    Lux sit

  10. #10
    Member
    Join Date
    Jan 2010
    Posts
    159

    Default

    Quote Originally Posted by blackfoot View Post
    This is presumed to be fiction since the shadow file is a readable table of data not an executable script and normally readable by superuser and certain groups.
    Blackfoot has hit this on the head. The exploits leveled against the shadow file are to be able to read it, so as to bruteforce/dictionary attack the passwords. If a privilege escalation could be used by the shadow file, the same technique would work against any file that had similar permissions. Maybe there is a 1 in quadrillion chance that the password hashes actually equaled some sort of "command" but I find that to be so unlikely as only worthy of an amusing thought experiment.

    (Of course, perl does look like a password hash sometimes...)

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •