Writable /etc/shadow
The /etc/shadow file contains user password hashes and is usually readable only by the root user.
Enumeration
We are going to exploit a misconfigured /etc/shadow file to escalate our privileges to root. Let’s check the permission on /etc/shadow.
As you can see, we have Write permission on /etc/shadow file.
Exploitation
We will generate a new password and edit the /etc/shadow file by placing the root hash with the one we have generated. After that, we will use the password to login to root account.
Well…As you can see, we have logged in as root user.