If you come across /etc/shadow file on Linux systems that has the wrong permissions and allows you to write to it, then you can use it to set your own root password.
First check if you can write to /etc/shadow
find / -type f -writable 2>/dev/null | grep etc
ls -la /etc/shadow
You should see…
This means that the owner, group and all users have read and write permission for the file. Big win for us.
Generate new root password & Su2Root
openssl passwd -1 -salt root pwned123
Now it’s time to open /etc/shadow in your favourite editor. As with the passwd file, each field in the shadow file is also separated with “:” colon characters, and are as follows:
- Username, up to 8 characters. Case-sensitive, usually all lowercase. A direct match to the username in the /etc/passwd file.
- Password, 13 character encrypted. A blank entry (eg. ::) indicates a password is not required to log in (usually a bad idea), and a “*’’ entry (eg. :*:) indicates the account has been disabled.
- The number of days (since January 1, 1970) since the password was last changed.
- The number of days before password may be changed (0 indicates it may be changed at any time)
- The number of days after which password must be changed (99999 indicates user can keep his or her password unchanged for many, many years)
- The number of days to warn user of an expiring password (7 for a full week)
- The number of days after password expires that account is disabled
- The number of days since January 1, 1970 that an account has been disabled
- A reserved field for possible future use
# To start with our root user entry looked like this...
# Now it looks like this...
Save/Write the file.
Now just su to root.
user@box:/$ su root
uid=0(root) gid=0(root) groups=0(root)