Super User Asked by noobler on November 9, 2021
I am working on an exploit for a security course. The object is to obtain a root shell in a linux virtual machine. So far, I can write to /etc/passwd and change root’s password to an arbitrary string.
Now, I want to use su to get the root shell. Since my exploit has to be automated, it can’t prompt for a password, and the vm doesn’t have expect installed. Does anybody have any idea how I can pass the password to the su command? Or is there a better way?
The best ways to automate this type of input, is using expect
or better pexpect
.
most servers come with python, at least with a modern distribution.
First off you said your VM does not have expect
installed? I'm not sure why that matters. Is there any reason why you cannot install/execute something, under your local account?
Next consideration, why must you even use passwd
??? You can also change a password by replacing the hash specified in /etc/shadow
. You obviously would need to correctly pregenerate a hash first, but as long as you use a supported one it should work as expected. Now how you would script such an action, that's an exercise for you to work out.
I also want to mention, passwd
does not read it's input from STDIN. If i'm not mistaken, it reads from a tty. So no fancy combo of just echo
and sleep
would work. However it's possible using a HEREDOC, but assumes system is sufficiently responsive. You may be able to break it up and sleep
between entires. I just tested this, it worked on my Ubuntu workstation.
#!/bin/bash
passwd root <<'EOF'
newpassword
newpassword
EOF
Answered by J. M. Becker on November 9, 2021
Your exploit could also write to the groups file and make the current user part of the 'wheel' group (or whatever group can run sudo
commands w/o a password). Then you'll be able to sudo su root
(or any other user) w/o a password.
Running visudo
should give you some direction on the setup of the 'wheel' group on your machine.
To clarify: once a user becomes part of the wheel group, they can run sudo commands without needing a password.
Answered by CamelBlues on November 9, 2021
Get help from others!
Recent Questions
Recent Answers
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP