Linux doesn’t store plaintext passwords. Instead, it stores an HMAC-SHA256 hash of the
passwords in the file /etc/shadow. 

The permissions on the /etc/shadow/ file indicate that only the owner (root) and the group (shadow) can read the file, and that only a root user can write to it.

The unix-privesc tool is preinstalled on Kali Linux and allows you to check a system for vulnerabilities that might allow a privilege escalation attack:

unix-privesc-check standard

The Meterpreter shell has similar functionality built in. You can
use the command getsystem to search for and exploit possible
privilege escalation vulnerabilities:

meterpreter > getsystem

After you gain root privileges, run the Meterpreter module
hashdump to extract the hashes from the system.

meterpreter > run hashdump

---

举例: Performing a Dirty COW Privilege Escalation Attack

a kernel-level vulnerability nicknamed Dirty COW. The vulnerability (CVE-2016-5195) allows an
attacker without root privileges to edit any file by exploiting a bug in how the Linux kernel manages memory.