Linux Authentication Process

Linux-based distributions support various authentication mechanisms. One of the most commonly used is Pluggable Authentication Modules (PAM). The modules responsible for this functionality, such as pam_unix.so or pam_unix2.so, are typically located in /usr/lib/x86_64-linux-gnu/security/ on Debian-based systems. These modules manage user information, authentication, sessions, and password changes. For example, when a user changes their password using the passwd command, PAM is invoked, which takes the appropriate precautions to handle and store the information accordingly.

The pam_unix.so module uses standardized API calls from system libraries to update account information. The primary files it reads from and writes to are /etc/passwd and /etc/shadow. PAM also includes many other service modules, such as those for LDAP, mount operations, and Kerberos authentication.

Passwd file

The /etc/passwd file contains information about every user on the system and is readable by all users and services. Each entry in the file corresponds to a single user and consists of seven fields, which store user-related data in a structured format. These fields are separated by colons (:). As such, a typical entry may look something like this:

htb-student:x:1000:1000:,,,:/home/htb-student:/bin/bash

Field	Value
Username	htb-student
Password	x
User ID	1000
Group ID	1000
GECOS	,,,
Home directory	/home/htb-student
Default shell	/bin/bash

The most relevant field for our purposes is the Password field, as it can contain different types of entries. In rare cases (generally on very old systems) this field may hold the actual password hash. On modern systems, however, password hashes are stored in the /etc/shadow file, which we'll examine later. Despite this, the /etc/passwd file is world-readable, giving attackers the ability to crack the passwords if hashes are stored here.

Usually, we will find the value x in this field, indicating that the passwords are stored in a hashed form within the /etc/shadow file. However, it can also be that the /etc/passwd file is writeable by mistake. This would allow us to remove the password field for the root user entirely.

0xH4shDumb@htb[/htb]$ head -n 1 /etc/passwd

root::0:0:root:/root:/bin/bash

This results in no password prompt being displayed when attempting to log in as root.

0xH4shDumb@htb[/htb]$ su

root@htb[/htb]#

Although the scenarios described are rare, we should still pay attention and watch for potential security gaps, as there are applications that require specific permissions for entire folders. If the administrator has little experience with Linux (or the applications and their dependencies), they might mistakenly assign write permissions to the /etc directory and fail to correct them later.

Shadow file

Since reading password hash values can put the entire system at risk, the /etc/shadow file was introduced. It has a similar format to /etc/passwd but is solely responsible for password storage and management. It contains all password information for created users. For example, if there is no entry in the /etc/shadow file for a user listed in /etc/passwd, that user is considered invalid. The /etc/shadow file is also only readable by users with administrative privileges. The format of this file is divided into the following nine fields:

htb-student:$y$j9T$3QSBB6CbHEu...SNIP...f8Ms:18955:0:99999:7:::

Field	Value
Username	htb-student
Password	$y$j9T$3QSBB6CbHEu...SNIP...f8Ms
Last change	18955
Min age	0
Max age	99999
Warning period	7
Inactivity period	-
Expiration date	-
Reserved field	-

If the Password field contains a character such as ! or *, the user cannot log in using a Unix password. However, other authentication methods—such as Kerberos or key-based authentication—can still be used. The same applies if the Password field is empty, meaning no password is required for login. This can lead to certain programs denying access to specific functions. The Password field also follows a particular format, from which we can extract additional information:

• $<id>$<salt>$<hashed>

As we can see here, the hashed passwords are divided into three parts. The ID value specifies which cryptographic hash algorithm was used, typically one of the following:

ID	Cryptographic Hash Algorithm
1	MD5
2a	Blowfish
5	SHA-256
6	SHA-512
sha1	SHA1crypt
y	Yescrypt
gy	Gost-yescrypt
7	Scrypt

Many Linux distributions, including Debian, now use yescrypt as the default hashing algorithm. On older systems, however, we may still encounter other hashing methods that can potentially be cracked. We'll discuss how the cracking process works shortly.

Opasswd

The PAM library (pam_unix.so) can prevent users from reusing old passwords. These previous passwords are stored in the /etc/security/opasswd file. Administrator (root) privileges are required to read this file, assuming its permissions have not been modified manually.

0xH4shDumb@htb[/htb]$ sudo cat /etc/security/opasswd

cry0l1t3:1000:2:$1$HjFAfYTG$qNDkF0zJ3v8ylCOrKB0kt0,$1$kcUjWZJX$E9uMSmiQeRh4pAAgzuvkq1

Looking at the contents of this file, we can see that it contains several entries for the user cry0l1t3, separated by a comma (,). One critical detail to pay attention to is the type of hash that's been used. This is because the MD5 ($1$) algorithm is significantly easier to crack than SHA-512. This is particularly important when identifying old passwords and recognizing patterns, as users often reuse similar passwords across multiple services or applications. Recognizing these patterns can greatly improve our chances of correctly guessing the password.

Cracking Linux Credentials

Once we have root access on a Linux machine, we can gather user password hashes and attempt to crack them using various methods to recover the plaintext passwords. To do this, we can use a tool called unshadow, which is included with John the Ripper (JtR). It works by combining the passwd and shadow files into a single file suitable for cracking.

0xH4shDumb@htb[/htb]$ sudo cp /etc/passwd /tmp/passwd.bak 
0xH4shDumb@htb[/htb]$ sudo cp /etc/shadow /tmp/shadow.bak 
0xH4shDumb@htb[/htb]$ unshadow /tmp/passwd.bak /tmp/shadow.bak > /tmp/unshadowed.hashes

This "unshadowed" file can now be attacked with either JtR or hashcat.

0xH4shDumb@htb[/htb]$ hashcat -m 1800 -a 0 /tmp/unshadowed.hashes rockyou.txt -o /tmp/unshadowed.cracked

Note: This is the exact scenario that JtR's single crack mode was designed for.

Further reading

For further reading on the Linux authentication process, this document by The Linux Documentation Project is a great reference.

---

Download the attached ZIP file (linux-authentication-process.zip), and use single crack mode to find martin's password. What is it?

Download the attached ZIP file:

wget https://cdn.services-k8s.prod.aws.htb.systems/content/questions/file/ebdc603e-28a2-4cdf-a24b-571c097eae7a.zip

Unzip the folder:

┌─[eu-academy-3]─[10.10.15.9]─[htb-ac-1811357@htb-ed4da3xeig]─[~/Desktop/HTB]
└──╼ [★]$ unzip ebdc603e-28a2-4cdf-a24b-571c097eae7a.zip 
Archive:  ebdc603e-28a2-4cdf-a24b-571c097eae7a.zip
  inflating: passwd                  
  inflating: shadow

Use unshadow:

unshadow passwd shadow > unshadowed_file.txt

Now, use JtR:

hashcat -m 1800 unshadowed_file.txt /usr/share/wordlists/rockyou.txt -o unshadow_cracked

Read unshadow_cracked file:

cat unshadow_cracked 
hashcat (v6.2.6) starting

...SNIP...

$6$EBOM5vJAV1TPvrdP$LqsLyYkoGzAGt4ihyvfhvBrrGpVjV976B3dEubi9i95P5cDx1U6BrE9G020PWuaeI6JSNaIDIbn43uskRDG0U/:xxxxxxxx
[s]tatus [p]ause [b]ypass [c]heckpoint [f]inish [q]uit => $6$0XiU8Oe/pGpxWvdq$n6TgiYUVAXBUOO11C155Ea8nNpSVtFFVQveY6yExlOdPu99hY4V9Chi1KEy/lAluVFuVcvi8QCO1mCG6ra70A1:xxxxxxx

---

Use a wordlist attack to find sarah's password. What is it?

We have got sarah's pasword with the last question:

$6$EBOM5vJAV1TPvrdP$LqsLyYkoGzAGt4ihyvfhvBrrGpVjV976B3dEubi9i95P5cDx1U6BrE9G020PWuaeI6JSNaIDIbn43uskRDG0U/:xxxxxxxx

---