TransWikia.com

How can I automatically pass the password to 'su'?

Super User Asked by noobler on November 9, 2021

I am working on an exploit for a security course. The object is to obtain a root shell in a linux virtual machine. So far, I can write to /etc/passwd and change root’s password to an arbitrary string.

Now, I want to use su to get the root shell. Since my exploit has to be automated, it can’t prompt for a password, and the vm doesn’t have expect installed. Does anybody have any idea how I can pass the password to the su command? Or is there a better way?

2 Answers

The best ways to automate this type of input, is using expect or better pexpect. most servers come with python, at least with a modern distribution.

First off you said your VM does not have expect installed? I'm not sure why that matters. Is there any reason why you cannot install/execute something, under your local account?

Next consideration, why must you even use passwd??? You can also change a password by replacing the hash specified in /etc/shadow. You obviously would need to correctly pregenerate a hash first, but as long as you use a supported one it should work as expected. Now how you would script such an action, that's an exercise for you to work out.

I also want to mention, passwd does not read it's input from STDIN. If i'm not mistaken, it reads from a tty. So no fancy combo of just echo and sleep would work. However it's possible using a HEREDOC, but assumes system is sufficiently responsive. You may be able to break it up and sleep between entires. I just tested this, it worked on my Ubuntu workstation.

#!/bin/bash
passwd root <<'EOF'
newpassword
newpassword
EOF

Answered by J. M. Becker on November 9, 2021

Your exploit could also write to the groups file and make the current user part of the 'wheel' group (or whatever group can run sudo commands w/o a password). Then you'll be able to sudo su root (or any other user) w/o a password.

Running visudo should give you some direction on the setup of the 'wheel' group on your machine.

To clarify: once a user becomes part of the wheel group, they can run sudo commands without needing a password.

Answered by CamelBlues on November 9, 2021

Add your own answers!

Ask a Question

Get help from others!

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP