How to take control of the root account on Linux without knowing the password
Welcome back to another tutorial from our Linux explorations tutorial series.
This time we are taking a break from Alpine Linux and looking at ways to gain access to the root account (su = superuser, also known as root or admin account).
What is the root account??
A short description
The root account in Linux is the superuser account with administrative privileges. It has the highest level of access and control over the system.
In short, the root user can execute any command and modify any file on the system.?
This makes it a powerful but potentially dangerous account.
The root user has a user identifier of 0, making it a special and distinct user on the system.
It has 2 important features:
1. Access Control: As stated above, by default, the root user can access and modify any file on the system. This is a very powerful and dangerous feature of the root account on any Linux (or UNIX) system. This includes critical system files.
2. Command Execution: Again, as stated above, the root user can execute any command without restriction, which is why it is so dangerous and must be protected to avoid unintentional damage to the Linux (or UNIX) system. This is both powerful and dangerous.?
It is important to exercise caution when using the root account to avoid accidental changes that could disrupt the system.?
Regular users should only use root privileges when necessary and with a clear understanding of the potential impact on the system. It is a commonly accepted best practice to perform administrative tasks without logging in as root, but instead to use the sudo (superuser do) command. Users with the right privileges can use sudo to execute specific commands as if they were the root user.
Additionally, securing the root account with a strong password and monitoring its usage with proper log files are good practices for maintaining system integrity.
Now that we have established the definition of the root account and have set some good ground rules for its safe usage, let us move on to our purpose today: - Gaining access to this root account without actually knowing the password.?
Let us first image a legitimate use case: We have received an Ubuntu 20.04 Linux Server (or any other Linux server, the method described below works on most of them) from the SysAdmin but we were not provided the password. Now we need to properly maintain and care for this vital part of the enterprise network infrastructure which is quite impossible to do without the root access.?
So we need to gain access to the root account on the Business Servers without the password. You would imagine this to be impossible as Linux and generally enterprise servers are supposed to be very secure but it can be done easily in multiple ways.?
Today I will demonstrate at least one of these methods to "hack" the root account. It should be noted that in the Linux culture, whoever has control of the root account, has control of the machine itself and "owns it".?
This should only be done for legitimate purposes, as in many cases the former SysAdmin is no longer available to work and we must perform administrative tasks on these machines.?
It is quite a common occurrence.?
We will use a local Ubuntu Server 20.04 virtual machine.
Let us begin:
1. Power on the Ubuntu Server 20.04 Linux Virtual Machine.
2. Login to our Ubuntu Server Virtual machine.
Once the Ubuntu Server 20.04 VM has fully booted we are ready to begin the process – system ready. Simply type in the username and password.
3. Logged on to the system.
We are now logged in.
4. Use the root account.
We are now logged in as the root.
5. Shutting down the system.
We can now safely and cleanly shut down the system by using the "poweroff" command (this command is available in other Linux and UNIX systems as well).
6. Load the Live ISO Image.
We can download the image from the Canonical servers.
7. Boot into the Live ISO image.
8. Start the Live CD session.
9. Select Help from the top right corner.
10. Select Enter Shell.
11. Ubuntu Server 20.04 Live CD session BASH shell.
12. Here we can see our installed Ubuntu Server 20.04 virtual hard drive.
领英推荐
The command is: "fdisk --list | grep 40"
This is because I already know our Ubuntu Server 20.04 is stored on a 40 GB virtual hard drive.
Otherwise, we can simply execute the command: "fdisk --list" and find our disk among the results.
13. Here we check our File System Table (fstab).
The command is: "nano /etc/fstab".
14. Create a new directory to mount our Ubuntu Server 20.04 virtual hard drive.
The command is: "ls" - to list the directories and files.
The command is: "mkdir hamster" - to create the new directory for our mount point.
15. Add our Ubuntu Server 20.04 virtual hard drive to the File System Table (fstab) of the Live CD session.
The command is: "/dev/sda2 /hamster ext4 rw 0 0" - in our case, it happened to be /dev/sda2, /hamster is the mount point on our system and ext4 is the file system. Also, we wish to mount with Read Write and the first 0 - no backup - and the second 0 - DO NOT CHECK integrity at boot time -.
Here is a more detailed breakdown of the logic in the fstab syntax:
So, in short, we have an entry for the /etc/fstab that is instructing the system to mount the second partition of the first storage device (/dev/sda2) to the /hamster directory, using the ext4 file system with read-write permissions. The last two fields (0 0) suggest that no backup is scheduled, and the file system won't be checked at boot time.
16. Reload and mount the contents of the fstab file.
The command is: "mount -a" - this will instruct the system to reload the partitions and mount them based on the changes we just made to our /etc/fstab file.
17. Switch root access to the Ubuntu Server 20.04 internal virtual hard drive (we have just gained root access without needing the password).
The command is: "chroot /hamster".?
The chroot command is used in UNIX operating systems, including Linux, to change the apparent root directory for a specific process and its children.
After executing this command, if you run commands or start processes, they will think that /hamster is the root directory. This is useful in certain situations, such as when we want to create an isolated environment or chroot jail for a specific application. It can be a security measure because the processes running inside the chroot environment have limited access to files outside of that environment.
Caution: It is important to note that chroot is not a foolproof security mechanism, and it is not designed to be a full-fledged sandbox. More sophisticated containerization technologies like Docker or virtualization solutions provide more comprehensive isolation.
18. We have just changed the root password on the Ubuntu Server 20.04.
The command is: "passwd root".
The passwd command in Linux is used to change the password of a user account. When we run the command with the username as an argument, it allows us to set a new password for that user. In the case of passwd root, it specifically changes the password for the root user.
19. We even changed the password on the user account.
The command is: "passwd alex".
20. We exit chroot, cleanly unmount the Ubuntu Server 20.04 file system, and cleanly power off the entire system.
The command is: "exit". - the exit chroot.
The command is: "umount /hamster". - to cleanly unmount the partition after we made the changes.
The command is: "poweroff". - to safely and cleanly power down the system.
21. Remove the Live CD iso image from the virtual optical unit.
22. Boot the Ubuntu Server 20.04 VM again.
23. Logged on again as the root.
24. It worked.
25. It worked for the user Alex also.
26. User Alex logged on.
27. We can now shut down our Ubuntu Server 20.04 system cleanly.
The command is: "sudo poweoff".
Well, that was most enjoyable. See you in the next tutorial! #linux