How to take control of the root account on Linux with LVM without knowing the password
Welcome back to another tutorial from our Linux explorations tutorial series.
This time we are taking a break from Alpine Linux and looking at ways to gain access to the root account (su = superuser, also known as root or admin account).
What is the root account?
A short description
The root account in Linux is the superuser account with administrative privileges. It has the highest level of access and control over the system.
In short, the root user can execute any command and modify any file on the system.
This makes it a powerful but potentially dangerous account.
The root user has a user identifier of 0, making it a special and distinct user on the system.
It has 2 important features:
1. Access Control: As stated above, by default, the root user can access and modify any file on the system. This is a very powerful and dangerous feature of the root account on any Linux (or UNIX) system. This includes critical system files.
2. Command Execution: Again, as stated above, the root user can execute any command without restriction, which is why it is so dangerous and must be protected to avoid unintentional damage to the Linux (or UNIX) system. This is both powerful and dangerous.
It is important to exercise caution when using the root account to avoid accidental changes that could disrupt the system.
Regular users should only use root privileges when necessary and with a clear understanding of the potential impact on the system. It is a commonly accepted best practice to perform administrative tasks without logging in as root, but instead to use the sudo (superuser do) command. Users with the right privileges can use sudo to execute specific commands as if they were the root user.
Additionally, securing the root account with a strong password and monitoring its usage with proper log files are good practices for maintaining system integrity.
Now that we have established the definition of the root account and have set some good ground rules for its safe usage, let us move on to our purpose today: - Gaining access to this root account without actually knowing the password.
Let us first image a legitimate use case: We have received an Ubuntu 20.04 Linux Server (or any other Linux server, the method described below works on most of them) from the SysAdmin but we were not provided the password. Now we need to properly maintain and care for this vital part of the enterprise network infrastructure which is quite impossible to do without the root access.
So we need to gain access to the root account on the Business Servers without the password. You would imagine this to be impossible as Linux and generally enterprise servers are supposed to be very secure but it can be done easily in multiple ways.
Regarding Logical Volume Management
Logical Volume Manager (LVM) is a disk management system that provides a level of abstraction over physical storage, allowing for more flexibility in managing storage resources on Linux systems. LVM is often used to manage disk space, create snapshots, and dynamically resize logical volumes, providing features that make storage management more efficient and adaptable.
A physical volume is typically a hard drive or a partition on a hard drive.
A volume group is a collection of one or more physical volumes.
A logical volume is a virtual partition created within a volume group.
Today I will demonstrate at least one of these methods to "hack" the root account. It should be noted that in the Linux culture, whoever has control of the root account, has control of the machine itself and "owns it".
This should only be done for legitimate purposes, as in many cases the former SysAdmin is no longer available to work and we must perform administrative tasks on these machines.
It is quite a common occurrence.
We will use a local Ubuntu Server 20.04 virtual machine.
Let us begin:
1. Power on the Ubuntu Server 20.04 Linux Virtual Machine.
2. Login to our Ubuntu Server Virtual machine.
Once the Ubuntu Server 20.04 VM has fully booted we are ready to begin the process – system ready. Simply type in the username and password.
3. Logged on to the system.
We are now logged in.
4. Use the root account.
We are now logged in as the root.
5. Shutting down the system.
We can now safely and cleanly shut down the system by using the "poweroff" command (this command is available in other Linux and UNIX systems as well).
6. Load the Live ISO Image.
We can download the image from the Canonical servers.
7. Boot into the Live ISO image.
领英推荐
8. Start the Live CD session.
9. Select Help from the top right corner.
10. Select Enter Shell.
11. Ubuntu Server 20.04 Live CD session BASH shell.
12. Mount our LVM based Ubuntu 20.04 Virtual hard drive into our Live CD session.
Create a new directory to mount our Ubuntu Server 20.04 virtual hard drive.
The command is: "ls" - to list the directories and files.
The command is: "mkdir hamster" - to create the new directory for our mount point.
The command is: "lvdisplay" - shows information about one or more logical volumes, including their attributes, size, status, and more.
The command is: "mount /dev/ubuntu-vg/ubuntu-lv /hamster" - is used to mount a logical volume named ubuntu-lv that belongs to the volume group ubuntu-vg to the mount point /hamster in a Linux system that uses the Logical Volume Manager (LVM).
13. Switch root access to the Ubuntu Server 20.04 internal virtual hard drive (we have now gained root access without needing the password).
The command is: "chroot /hamster".
The chroot command is used in UNIX operating systems, including Linux, to change the apparent root directory for a specific process and its children.
After executing this command, if you run commands or start processes, they will think that /hamster is the root directory. This is useful in certain situations, such as when we want to create an isolated environment or chroot jail for a specific application. It can be a security measure because the processes running inside the chroot environment have limited access to files outside of that environment.
Caution: It is important to note that chroot is not a foolproof security mechanism, and it is not designed to be a full-fledged sandbox. More sophisticated containerization technologies like Docker or virtualization solutions provide more comprehensive isolation.
14. We have just changed the root password on the Ubuntu Server 20.04.
The command is: "passwd root".
The passwd command in Linux is used to change the password of a user account. When we run the command with the username as an argument, it allows us to set a new password for that user. In the case of passwd root, it specifically changes the password for the root user.
We even changed the password on the user account.
The command is: "passwd alex".
15. We exit chroot, cleanly unmount the Ubuntu Server 20.04 file system, and cleanly power off the entire system.
The command is: "exit". - the exit chroot.
The command is: "umount /hamster". - to cleanly unmount the partition after we made the changes.
The command is: "poweroff". - to safely and cleanly power down the system.
Remove the Live CD iso image from the virtual optical unit.
16. Boot the Ubuntu Server 20.04 VM again.
17. Logged on again as the root.
It worked.
It worked for the user alex also.
18. User Alex logged on.
19. We can now shut down our Ubuntu Server 20.04 system cleanly.
The command is: "sudo poweoff".
We can now shut down our Ubuntu Server 20.04 system cleanly.
Well, that was most enjoyable. See you in the next tutorial! #linux