Linux doesn’t store plaintext passwords. Instead, it stores an HMAC-SHA256 hash of the
passwords in the file /etc/shadow.
The permissions on the /etc/shadow/ file indicate that only the owner (root) and the group (shadow) can read the file, and that only a root user can write to it.
The unix-privesc tool is preinstalled on Kali Linux and allows you to check a system for vulnerabilities that might allow a privilege escalation attack:
unix-privesc-check standard
The Meterpreter shell has similar functionality built in. You can
use the command getsystem to search for and exploit possible
privilege escalation vulnerabilities:
meterpreter > getsystem
After you gain root privileges, run the Meterpreter module
hashdump to extract the hashes from the system.
meterpreter > run hashdump
举例: Performing a Dirty COW Privilege Escalation Attack
a kernel-level vulnerability nicknamed Dirty COW. The vulnerability (CVE-2016-5195) allows an
attacker without root privileges to edit any file by exploiting a bug in how the Linux kernel manages memory.