How I Hacked Linux Root Account the Easy-way (Case Study)

It’s been a while when I used to hack Linux/Windows PC of my college’s laboratories for high speed downloading and some benefits(yeah, being root is cool!)

When you suck at studies, there’s nothing that can help you focus at it. So, I learned how to focus on something else in the Lab.

How?

Universities High-speed(restricted) Internet.

I used to download in hostel room at very high speeds(5-6 MB/s).

Yes MBps(MegaByte per second), not Megabit per second. Point-to-be-noted, almost everybody was in KBps 😀 hahh

Free PDF Checklist: Download a free checklist that will show you exactly how to execute the strategy from this post + How to secure you Linux box(BONUS)

Anyways..

Point is, I wanted to do the same in the Lab also, call it urge to not get bored, or curiosity to learn to hack systems. I just wanted to get the admin/root account on those PCs.

Here it goes,

I started googling and sometimes used my own head to get Linux box and today I am sharing with you the same steps and issues I faced and resolved.

not to mention some of the steps, you won’t find easily or anywhere on the Internet.
Yeah I mean it. This is where I used my head 😀
let’s get started…

How to Hack Linux root account

There are numerous ways to hack into a Linux root account. I’ll be sharing 2 of the easiest methods of all-time and also my favorite.

Method #1: via Recovery mode

Method #2: via Single user mode

Next, you’ll be learning

  • Hack Linux’ root account (1 Bonus hack in PDF version)
  • How to get persistent root access, and
  • How to secure your Linux box (PDF Checklist)

Hack Linux’ root account: Method #1 – via Recovery mode

Start the system and select advanced options

boot-select-advanced-options

Select Ubuntu with Linux ….. (recovery mode)

boot-with-recovery-mode

Highlight and Select “Drop to root shell prompt” option

select-root-shell-prompt

Bam!

You are root  now!

access-root-account-via-recovery-mode

Simple enough, right ?

well, not much in most cases.

What happens most of the times is that you encounter with a Linux machine with a password set on root account already.

And when you try the above method, you fail to get root account.

You’ll see something like this(in most cases):

root-password-required

I’ll get into its detail in a minute.

But first let me show you another method to get root(when no password is set)

and how this can be bypassed, easily.

 

Hack Linux’ root account: Method #2 – via Single-user mode

While at boot options, highlight the OS you want to boot into. Ubuntu in my case

and press ‘e‘ to get into the edit mode

grub-loader-edit-boot-option

This allows you to edit GRUB’s(or any other bootloader) boot parameters.

now go to the line which start with “Linux  /boot/…”, second last line in my case

edit-kernel-parameters

this tells GRUB which kernel to boot with and parameters to be passed during boot.

If you notice in the above image, /boot/vmlinuz* is the path to the kernel passed as a parameter.

and ro stands for read-only parameter.

What we need to do is enter single-user mode.

I’ll tell why in a moment.

To enter single-user mode, type “1” or “single” (as in image above)and press CTRL-x or F10 to continue boot with new boot parameters.

There you go!

root-account-single-user-mode

Root shell prompt again.

Wait

It’s too early to celebrate now.

If you are a hacker you’ll be happy to get into account now, if you are a sysadmin you probably and should be wondering how to fix this issue.

Many sysadmins actually set a root password to protect user to boot via single-user/recovery mode.

In my case root account was unprotected, so I got access to root via Single-user mode.

What was being done to limit user was, user(Username given to students) was a standard account. That’s it.

Pretty lame way for protection.

It’s good that you put some effort from safeguarding it from a potential hacker.

But

It’s not enough for a potential attacker to get into this SECURED Linux box.

How can I say that ?

Let me show you…

While editing GRUB boot line parameters, you told kernel to enter the single-user mode either by adding “1” or “single” at the end of the command.

And when there is no user logged in the default or only user left is root. Similar to what we did in previous post to Hack into Admin account on Windows.

Why it gave only Administrator-level CMD when sticky-keys were pressed ? Because when no user is logged in everything runs by default with administrator-level privilege and Admin is the only account that is on the system from the very beginning.

But now, as you know it is password protected how can you get into the system is the question.

Bypass Root password prompt – The easy way

To bypass it, just tell the kernel to initialize your session with bash by adding init=/bin/bash  at the command’s right most end(would work anywhere within the line).

Check for and try other variations also: Parameter List

edit-boot-option-init-bin-bash-read-only

and if you press CTRL-x or F10 you’ll get into the root shell prompt without getting asked for the password.

Here’s the deal, when you get into root account, the system is by default mounted as a read-only partition, as

ro” suggests in the image. You can bypass it in 2 ways:

  1. Either edit the boot option ro to rw, to mount root partition as read-and-writable, or
    edit-boot-option-init-bin-bash-read-write
  2. Mount the root partition as read and write directly from shell prompt

You can confirm the parameters passed to the kernel at the time it was started.

Type in the shell prompt:

cat-proc-cmdline-rw

Same as passed as shown in previous image.

Now you are root, but what next ?

Which issue I faced next ? or did I had even one ?

Yes, there was and is an issue with this which you too will face sooner.

 

How to maintain a persistent and stealthy root access

Only issue with above method is even if you change the password for an account,

Changes will vanish once you reboot.

Yes, it is temporary.

That’s the problem I faced when I changed the standard user account to root account and thought next time I don’t have to go into edit mode, edit options reset root password etc etc.

But I was wrong, changes made during that session just vanished.

What I was actually doing is

  1. Change root password
  2. Log into GUI
  3. Login standard user, to keep it stealthy
  4. Run desired command with “sudo
  5. Get the work done

2 Issues faced:

  1. Standard user was not a part of sudoers
  2. Changed root password vanishes/reverts on reboot

How did I fix it?

Made standard user a root user.

It was simple.

Whenever I type sudo <command>  I was getting an error something like:

user(Username) is not in the sudoers file

https://rootsh3ll.com/wp-content/uploads/2016/03/user-is-not-in-sudoers-file

*this is where I used a bit of my head*

I thought what is sudoers file ? let’s locate it

$ locate sudoers

Got a similar result:

locate-sudoers-MATE-terminal

Now I have the path, need to see what’s inside.

But not privileged at this moment to read the file.

So ?

  1. Reboot.
  2. Edit boot.
  3. Boot.
  4. Edit sudoers file: vi /etc/sudoers

This is what it looked like:

edit-etc-sudoers-file

and as you can see, I found a line saying:

root ALL=(ALL:ALL) ALL

I didn’t know what the hell this syntax exactly means, but it was clear enough that this is giving ALL the privileges to account named root.

Also as suggested by the comment above the command

Why not try same syntax with our standard user: user ?

So I did…

added user ALL=(ALL:ALL) ALL  right below that line

  • Save.
  • exit
  • Log in to GUI

and here it goes. I am the root now.

Now I do not need root password any more, which makes it even stealthier as if a sysadmin try to make some changes in the system locally or remotely, root password is unchanged(set or unset previously),

rather the account is escalated, which S/he won’t be looking at very frequently.. hahaa

Benefit of sudo command is that it never asks you for the root password. you just need to be a part of sudoers file with appropriate privilege level and you just have to enter your own password, which I knew(unchanged) in my case.

What next ?

I used it for downloading, hosting local web server across the labs. helped a few students to clear the lab exams.

LoL illegal though, but.. that’s what friends do 🙂

One more thing I forgot to tell.

Another way to edit sudoers file

If you are a beginner you might forget location of sudoers file or locate command, I also did forget about them.

In that case you don’t need to remember 2-3 commands to get the job done.

Read the first line of sudoers file. It says this should be edited with visudo command. There’s no hard and fast rule for it, but this one’s helpful and you should edit sudoers file using visudo only.

Why ?

visudo checks the file syntax before actually overwriting the sudoers file.

If you use a plain editor, mess up the syntax, and save… sudo will (probably) stop working, and, since /etc/sudoers is only modifiable by root, you’re stuck (unless you have another way of gaining root).

Additionally it ensures that the edits will be one atomic operation. This locking is important if you need to ensure nobody else can mess up your carefully considered configuration changes. For editing other files as root besides /etc/sudoers there is the sudoedit command which also guard against such editing conflicts.

When at root shell prompt(Step 2), type visudo and press [ENTER] you are in sudoers file.

Edit it and have fun! 😉

From a hacker’s perspective this is a gold mine, from security-researcher or system administrators perspective a bizarre problem that needs to be fixed as quick as possible.

Here’s What to Do Next…

If you enjoyed this case study, I want you do one thing:

Download the FREE checklist that I put together just for this post.

I have compiled this article and How to Secure your Linux box from such attacks

step-by-step in a PDF

Free PDF + Checklist: Download the Ready2Print PDF Checklist + Full version PDF of this post

 

Here’s What to Do Next…

If you enjoyed this case study, I want you do one thing:

Share this article with your friends and help rootsh3ll to reach even more people. It’ll help me to keep writing even more helpful stuff and even more quality articles for you.

Thanks for your time reading.

Keep Learning

 

468
  • Psycho 544

    Thanks dude! You are a lifesaver!😊

Shares
Share This