Exploiting /etc/passwd

If /etc/passwd has weak permissions, then passwords in it can be replaced (since Linux systems still use the password hashes in /etc/passwd preferentially to those in /etc/shadow). This means that we can just directly add root-equivalent users directly there (remember that the UID and primary GID can be duplicated!).

To generate a password acceptable for inclusion in /etc/passwd:

openssl passwd -1 -salt $SALT $PASSWORD