in a scenario where a shadowed password file has only executable permission for a user, where this user does not have root previledges how can a escalation of preveledge attack be launched in this kind of a situation??
with a shadowed file only with executable permission how would it be possible to proceed with a escalation of previledge attack?
So, just to clarify (and I have no idea how), if the passwd file was non-readable/writable, but executable to a non-superuser, can you pull the hashes from the file?
I am also curious, but I don't know how likely this situation is.
one of my friend is taking part in this competition and he asked if a knew how to get around it, i have never come across this kind of a situation so i dont know what to do. I was expecting some one on this forum would know what to do.Code:A Linux server has two user accounts. One of them is the root's account and the other is Prakhar's account. Both the users log in to this system from remote machines using ssh service. Prakhar is a normal user, that is he is not a previliged user. Prakhar's aim is to somehow gain full access to the system. Prakhar logs on to the system using ssh service from a remote computer with the aim of gaining root previliges. He enters the /etc directory and types in the command ls -la His happiness knows no bounds when he sees that the passwd file has rwx permissions. He immediately opens it thinking he would fiddle with the encrypted (blowfish hash) passwords stored in that file. Unfortunately he doesn't find any password stored in that file. He then realizes that the encrypted passwords are in the shadow file which doesnt have any read write permissions but has execute permission. He gets stuck and has no clue as to how to achieve his aim. Can you give him a solution?
Isn't it linked.
What is the command to create a new user?
Well, if it's executable, doesn't it need to be readable to user in some form. When a program is run, a shell script for example, someone must reads it so that it can process the commands.
I played around with this on my box. I had a file named passwd with 611 permissions. If I tried ./passwd, I got an access denied. My hope was that bash would try to run the hashes as commands, putting the hashes to stout. Are the 611 permissions accurate to your file.
Is this challenge were one actually logs onto a server, or is it "here's a question, what would you do" scenario?
You could also try to su to root, hoping that root's password is weak and guessable (but your attempts will certainly get logged).