Stored Passwords and File Permissions

Question 1

What does the path of elevating privileges via stored passwords and file permissions consist of?

Answer 1

This path consists in searching for stored passwords, weak file permissions and ssh keys.

Question 2

Why is it important to look the bash history?

Answer 2

The bash history can contain sensitive information such as previously typed passwords and sensitive files locations and names.

Question 3

How to use find to look for the “Password” string inside files?

Answer 3

$ find / -type f -exec grep -i -I "Password" {} /dev/null \;

Question 4

As a regular user, what kind of access should you expect for the passwd and shadow files?

Answer 4

As a regular user we should have read access to the passwd file and no access whatsoever to the shadow file.

Question 5

What can you do if the shadow file is writable?

Answer 5

You could replace the password hash of any user, including root, to a known hash. Then you can just login with the password that matches the new hash.

Question 6

What can you do with a writable passwd file?

Answer 6

You can edit an user id and group id to the same values of the root user. Also you can create another user by copying the root line and inserting a known hash to replace the x placeholder.
Another possibility is to replace the x placeholder of an user with a known hash.

Question 7

What ssh sensitive files should you look for?

Answer 7

The authorized-keys, known_hosts files. Also private keys files, they usually start with “id_”.

Question 8

How would you use the find command to look for private key files?

Answer 8

$ find / -name id_'*' 2>/dev/null

This command will list files that start with “id_”

Question 9

How to use ssh with an identity file?

Answer 9

$ ssh -i privkeyfile username@ip