The /etc/shadow file contains user password hashes and is usually readable only by the root user. When this file is misconfigured, and global write access is allowed, this can allow us to overwrite the root password hash with one that we control.
Do do this, let’s first check the file permissions on the /etc/shadow file. In our example, we can see that our user account has read/write access.
ls -la /etc/shadow
Knowing that we can write to this file, let’s create a password hash that we control. While all we need to do is generate a SHA-512 hash, we can actually use a pre-installed utility called mkpasswd to generate one for us.
mkpasswd -m sha-512 <newPassword>
Copy the hash that gets generated, and lets go edit the /etc/shadow file.
You’ll want to paste the password between the first and second colon symbols. If a hash is present, overwrite it.
Once the file has been changed, you can now switch to the root user using the password you passed to the mkpasswd command.