Privilege Escalation: Exploiting write access to /etc/shadow

Recently, I was working on a Capture The Flag (CTF) lab scenario where as an attacker, I had the rare ability to have write access to the /etc/shadow file. I wanted to quickly write up on a technique I did to gain root access to the system.

To begin, let's first quickly understand the differences of /etc/passwd and /etc/shadow and what the contents of each look like and represent.

A typical "/etc/passwd" file would look something like this:


Each field is separated by a colon (":") and are as follows:
  • "test" = Username
  • "x" = Password field. An "x" means the users password is stored in the /etc/shadow file
  • "1002" = Numeric user id. This is assigned by the adduser command. This identifies the user
  • "1002" = Numeric group id. This represents the group id of the user. Usually this will match the user id too.
  • "test,,," = Full name of user
  • "/test" = The users home directory. Usually will be something like /home/test. 
  • "/bin/bash" = The users "shell account". Usually set to /bin/bash or /bin/sh