Hi,
Welcome to my blog!
Welcome to my blog!
A few days ago, when testing a privilege escalation vulnerability in Linux, I got into a situation where I could insert a line in the file /etc/passwd, but only at the head of the file. I tried to inject a line like "sudoka:sa9EdM8u3.GSc:0:0:exploit:/root:/bin/bash" so I could connect to the server with a root privileged account.
If you are unfamiliar with the format of /etc/passwd, take a look at here.
For the password hash, you can easily make it by using python or perl. For instance:
Furthermore, any account with the id 0 or group 0 will be treated as root or root group respectively, not care about the username.
The problem appeared that when anyone logs in to the root, the server will pick the username of the first account has id=0 in /etc/passwd. Indeed, it acts like this in any situations, including changing password. For example:
If an admin logs in after that, he will definitely notice it and discover the happening attack.
Of course, if the admin reads the file /etc/passwd, he may also find out a weird line. But I want to at least hide my exploit whenever the admin logs in to the root account, so I went to play a trick with the backspace character (its ASCII code is 0x08 and in editors, it is displayed as ^H).
When I googled how to handle username which contains backspace in Linux at that time, no answers were found. It is the main reason why I write this post.
I found out that we can use backspace in the username like any printable characters, except that it will delete the previous character on the screen.
Finally, I could add a root privileged account with other names than root but will be displayed as root, so I could avoid the eyes of the admin when he logs in.
Inside a couple of "`" character is a command which will execute before the outside command and become its input. You can also use $(some_commands_inside_here), they are same.
To sum up, you can use this trick to hide a Linux root privileged account in the line before the root account line in /etc/passwd. Of course, it would be better placing your line after the root account line if you can. This post is also helpful for someone wanting to handle backspace or other unprintable characters in Linux's username.
Thank you for reading!
If you have any questions or want to share something with me, please leave a comment.
For the password hash, you can easily make it by using python or perl. For instance:
ad@ubuntu18:~$ python -c "from crypt import crypt;print crypt('my_password_here','salt_here')" sa9EdM8u3.GSc ad@ubuntu18:~$ perl -le "print crypt('my_password_here','salt_here')" sa9EdM8u3.GSc ad@ubuntu18:~$As you know, /etc/passwd has higher priority than /etc/shadow. If you write "x" in /etc/passwd, the password will reside in /etc/shadow. Otherwise, it presents in /etc/passwd directly. Of course storing password in /etc/passwd is very bad because in default, /etc/passwd has 644 permission, it means anyone can read this file!
Furthermore, any account with the id 0 or group 0 will be treated as root or root group respectively, not care about the username.
The problem appeared that when anyone logs in to the root, the server will pick the username of the first account has id=0 in /etc/passwd. Indeed, it acts like this in any situations, including changing password. For example:
Of course, if the admin reads the file /etc/passwd, he may also find out a weird line. But I want to at least hide my exploit whenever the admin logs in to the root account, so I went to play a trick with the backspace character (its ASCII code is 0x08 and in editors, it is displayed as ^H).
When I googled how to handle username which contains backspace in Linux at that time, no answers were found. It is the main reason why I write this post.
I found out that we can use backspace in the username like any printable characters, except that it will delete the previous character on the screen.
ad@ubuntu18:~$ su root Password: root@ubuntu18:/home/ad# exit exit ad@ubuntu18:~$ su `echo -e 'a\x08root'` Password: root@ubuntu18:/home/ad# id uid=0(root) gid=0(root) groups=0(root) root@ubuntu18:/home/ad#The option -e tells echo to print characters with their backslash escapes. The backspace character can be escaped by \x08 or \b.
Inside a couple of "`" character is a command which will execute before the outside command and become its input. You can also use $(some_commands_inside_here), they are same.
To sum up, you can use this trick to hide a Linux root privileged account in the line before the root account line in /etc/passwd. Of course, it would be better placing your line after the root account line if you can. This post is also helpful for someone wanting to handle backspace or other unprintable characters in Linux's username.
Thank you for reading!
If you have any questions or want to share something with me, please leave a comment.
Comments
Post a Comment