More Password Enumeration
Start course
2h 29m

This course explores how to carry out privilege escalation on Linux machines. We look at enumeration, kernel exploits, sudo list, suid, crontab, and much more!


Hi, within this lecture, we're going to see the details of the enumeration section that we have done. And previously, I've mentioned that a lot of people, actually, store their passwords on the passwords.txt files and also maybe without knowing they, actually, log their passwords in the system. So, we're going to try and see what we can do with that and make sure you're logged in with user. Not root because we previously became root so make sure you choose su, user or just ssh into the system one more time. So, we have seen that we can actually take leverage of history command or we can search for the passwords with the find command or locate command previously. So, let me run ls -la. As you can see, we have some bash history over here, so we can try to see what things that have been executed on this bash shell and we can cat this out or we can run history in order to see it in a more clear way. So, let me first cat this out. So, I'm going to cat the bash history over here and here we see the history that has been logged in this shell. So, over here, if we came over to the top of this history thing, we can see a lot of comments have been executed by previously logged in users and we can find even some passwords over here if we look carefully. For example, in this case mySQL has been executed and over here it has been executed with user root and for the password, password123 has been given. And for the purpose of this course I've changed the password to James123 as you might remember, but if I hadn't changed it, then we could have just used the password123 to become root. So, this may not be that easy, but again it's worth a shot and you can check the bash history anytime in order to find clues, at least clues, maybe not the passwords itself, but some clues to give you privilege escalation ideas in that case. So, maybe you cannot see the bash history file over there, but of course, you can run history in order to see in a more clear way actually. As you can see, right now we get the line numbers over here. So, 32nd line, 1st line, 2nd line. So, we can see it in a more clear way. So, it's worth a shot just around history once you become user, once you hack into the server and just search for clues. Over there, we can find some passwords or we can try to find the passwords or locate the passwords as we have seen before. So, maybe you know how to run find, but I'm going to show you another way of executing this as well in a much more complex way and in a much more sophisticated way. So, if a user actually logs the password in a system or in a log file, maybe we can grab that and we can actually use that as well. So, maybe you may want to take a note of this command as well. So, I'm going to run find help. As you can see, there are a lot of parameters over here and we have seen I believe many of them, but we haven't actually run this executive thingy or some other things as well so let me show you what I mean. I'm going to run this find and we're searching for the type f and for the execution, I'm going to grab some things over here. And for the parameters I'm going to write i -I "PASSWORD" with {} over here. Open and close like we have seen in the documentation. I'm going to show you one more time, don't worry about it. But after that, after we run this, we can just put the output into /dev/null as well. So, take a note of this comment and make sure you put a backspace, backcurly, backslash at the end of this line and put a semicolon over here. Now, if it hit 'Enter', let's see what it does as you can see we get this password321. I, actually changed this to be James321 as well but anyway, and it's logged in in the config file for some reason and as you can see we gathered it. So, again find command has some other usage over here as well. So, we are using this curly brace notation and make sure you just take a note of this so that you can actually find the passwords like that. We have seen the password123 in the history but we haven't seen the other one. So, maybe this will be helpful for you in a real life scenario as well. So, anyway, as you can see we're doing enumeration and all this information that we gather might lead us to privilege escalation. Of course, we can try to do much more stuff in here but don't forget to run find, don't forget to find history, don't forget to run, to see if you have bash history logged in here as well. So, if we run ls -la on /etc/passwd, this is one way to check to see if we can read the /etc/passwd and over here we can see that we have read privilege for every user over here. So, we can easily check to see, and we have talked about this a little bit, but I want to get into details right now and then we're going to later on during this section, we're going to see how we can, actually, hack the password by using the shadow file as well. So, this part is for every user as you might already know so we have the read permission over here, not the write or execute permission, but again, we don't need write permission in order to view the /etc/passwd. So, if you see the r over there then it's okay, just run cat /etc/passwd, like this and you can see all the users and some bashes or like some shells and some other information like groups over here as well. So, let's see what it does. In this case, we have a lot of information, like we have the user name over here root, so we're viewing the /etc/passwd as usual. And as I said before, it used to contain the passwords here in this case, but right now we only see an X in the place of the password so we see the users over here. And so, this is the user and this is the password of the user but we don't see the password in the /etc/passwd. So, where is the password located? It's located under the /etc/shadow, as I said before. So, right now, the Linux actually moved the passwords to another file and we cannot see them over here. If we can, actually, get the /etc/shadow for with using some method I don't know yet, then we can actually just combine them together and find the passwords. If you run ls -la on /etc/shadow, as you can see we don't have that read permission over here, so we cannot even see the content of the /etc/shadow. If we were root, of course we would have seen it but right now if you're on cat /etc/shadow you will get permission denied over there. If you can find something to give you that, like a binary set, uid binary for cat or something like that, maybe you can see the content of the /etc/shadow, then you can get the password for the root or password for the other users as well. But in that case, we are not seeing it and it's mainly it's actually, most probably what you're going to see in a real CTF or real pentest because no one forgets to just delete the permission for read information or just its comes in a default way like that. So, no one gives read permission to /etc/shadow to every user but again it's worth a shot. So, later on during this section we're going to see how we can, actually, see the /etc/shadow and how to combine them together to get the root password over here as well. But these are all for admiration purposes so make sure you kept /etc/password and just see cat /etc/shadow if it works or not again. So, here you go. We are going to stop here and within the next lectures, we're going to explore some other ways of privilege escalation as well.


About the Author
Learning Paths

Atil is an instructor at Bogazici University, where he graduated back in 2010. He is also co-founder of Academy Club, which provides training, and Pera Games, which operates in the mobile gaming industry.