Privilege Escalation via Writable /etc/shadow (Conceptual Overview)
The /etc/shadow file stores password hashes. If writable, attackers can replace root hash or modify user passwords.
π What is /etc/shadow?
/etc/shadow contains encrypted password hashes and password aging information. It should only be readable by root.
π§ How /etc/shadow Escalation Happens (High-Level)
- β /etc/shadow is writable by non-root users
- β Attacker generates new password hash
- β Attacker replaces root hash with new one
- β Attacker logs in as root
π₯ Why Writable /etc/shadow Is Dangerous
- β Direct root password change
- β No logging of modifications
- β Immediate root access
π Real-World Example (Defensive View)
A misconfigured application makes /etc/shadow group-writable. A user in that group replaces root hash and gains access.
π Detecting Writable /etc/shadow
- β Check permissions:
ls -la /etc/shadow - β Monitor file integrity
π‘οΈ Preventing /etc/shadow Escalation
- β Ensure correct permissions (600 or 640)
- β Use file integrity monitoring
- β Regular permission audits
π§Ύ Key Takeaways
- β /etc/shadow must not be writable
- β Monitor file permissions
- β Regular audits are essential
π /etc/shadow β Command Awareness
Common commands observed during audits when checking /etc/shadow. Shown for defensive awareness only.
π Permission Checking
-
Check /etc/shadow permissions
Why used: Verify correct permissions (should be 600 or 640).ls -la /etc/shadow
π‘οΈ Defender Takeaways
- β Verify /etc/shadow permissions
- β Monitor file changes
