less than 1 minute read
So, imagine that you are in front of some Linux computer to which you don’t have any access. How do you get a root access?
Restart the computer, in Grub menu choose (recovery mode) and on the next screen select Drop to root shell prompt. Simple as that.
If you liked the post, we should get connected - follow me on Twitter
Unless of course the system is properly configured with a password for Grub, preventing you from selecting a different option.
And if there’s no any BIOS password :) It’s not any attack method (although it could be, on a weakly protected systems, f.e. without Grub pass protection). It’s more a cool trick which can be handy sometimes.
If the boot loader is password protected but the BIOS isn’t, you could always boot the computer with a live CD, mount the partition with /etc and reset the root password. This also isn’t possible if /etc is inside an encrypted partition… In that case you’re kinda screwed: with an encrypted root partition the recovery mode would also be tricky (you’d need the partition password in order to boot the system properly).
It is possible to gain root/admin access to any system you have local control over.
If a bad guy can has unrestricted physical access to your PC, it’s not your PC anymore. ;)
In grub menu press “e” on a boot menu item you’re interested in, then add init=/bin/bash to the end of kernel’s command line
Or, you could pull the drive, connect it to a USB to SATA (assuming SATA, for RAID arrays, this gets more interesting…) dongle, plug that into a booted machine that you have control over, mount the disk to /mnt/root.me, chroot /mnt/root.me and then do “passwd” to change the root password.
Unless someone encrypted their root disk, in which case you’re pretty much SOL.
In that case you could always at least have fun experimenting with cold boot attacks. Or you could try to “social engineer” your way to the root account (assuming that root is hostile)
A restart via command line requires a root password. Usually the system you want root access too is also in a remote location, so manually restarting isn’t an option either…. how do you gain access to it? Obviously if its your own box this isnt a problem ;)
So we need to be root – does it have to be the running OS?
Most Distros nowadays will still prompt you for a Password even in recovery mode.
Get an USB Stick and install e.g. Damn Small Linux via Unetbootin on it. Reboot the PC and boot from USB. Mount the harddisk partition and edit /etc/passwd. Delete the garbage between the two colons e.g root:khdfkj887676!dsd:/bin/bash…..
Reboot, and log into as root without a password
OR !!! Look under the keyboard, maybe someone scribbled a hint ;)
Missing #1 security rule.
ANY computer that someone has physical contact with is already broken. No matter if BIOS and GRUB is password protected or not.
What policy is in place to protect the physical computer besides passwords that can be hammered?
If you have physical access to the box things are over before they begin from a security standpoint.