Open in app

Sign up

Sign in

Write

Sign up

Sign in

Hacking into Linux Systems without Credentials: A Step-by-Step Guide

TJ. Podobnik, @dorkamotorka
Level Up Coding
Published in
6 min readApr 11, 2022

--

Learn how to gain access to a locked Linux-based OS without using any tools or programs. This post explains the methods used to exploit the Linux boot process and gain access to the root user and all files on the system. Discover three methods including booting into Recovery mode, breaking the initramfs process, and overriding the default init parameter. Perfect for those who have forgotten their password or for participating in white hat hacking contests.

To be able to understand how we will gain access to the system, we need to understand a bit about how Linux-based distributions boot.

Linux Boot Process

There are lots of resources, that probably explain it better than I but still, I will briefly go through different stages, so you can understand better where we will exploit the system.

  • The first thing that happens when you press the Power button is the CPU loads the boot/UEFI firmware from the flash memory
  • Boot firmware then reads the Master Boot Record (MBR) which is the first sector on your hard drive (512 bytes) and verifies the disk signature, which is used to identify the drive from which we are booting
  • After that, boot firmware loads the bootloader into RAM and executes it. It’s important to realize that Bootloader runs in RAM, therefore any changes will not persist between boots.
  • In this stage, we will exploit the system since we are going to modify the parameters with which the initramfs user-space helpers load the root file system and mislead it to give us access to the system. For further steps imagine we did not tweak the system yet
  • Since the root file system may be on a software RAID volume, LVM, NFS, or an encrypted partition, we need some way to properly configure the system to be able to cope with so many different ways to mount the real root file system from. Therefore the bootloader loads the kernel and temporary root file system (sometimes referred to as early userspace) into RAM.

💡The kernel also referred to as the Linux kernel is the core interface between a computer’s hardware and its processes.

  • The kernel tries to determine the format of the disk image(file that stores your filesystem) from its first few blocks of data, which can lead to either the initrd or initramfs type of temporary file system to be mounted (initramfs is the successor of initrd).
  • Initramfs is used to replace as many functions as possible that previously the kernel would have performed during the boot process such as hardware detection, kernel modules loading, and device discovery necessary to get the real root file system mounted.
  • Initramfs then mounts the root file system and runs the/sbin/init script using the parameters we will be tweaking/exploiting
  • Init script runs many different modules to set up the services on your system, but at last also the login program (lightdm) that prompts you for your credentials

So much about the boot process. Let’s have a look at the stage we will exploit in a bit more detail.

Bootloader

In this example, we will specifically look into GRUB2, but your system could potentially also use rEFInd, systemd-boot, coreboot, syslinux bootloader. You may have seen it before but on a Ubuntu system the bootloader UI looks something like this:

bootloader

It’s the screen that comes up during boot and prompts you to choose the OS you want to boot in. Not totally necessary if you don’t have multiple OS on your system, but you can still force the system to open it up if you press and hold the Shift Keyimmediately after you turn the computer ON.

OK, this is enough background for now, let’s exploit it! We will start with the simplest one but not always a feasible one.

Boot into Recovery mode

On the top image in the second row, you see Advanced options. Click on it and select one of the Recovery mode options. Your system will boot into a shell, logged in as a root. EASY, you're done!

💡Recovery mode is usually added to the OS, in case you forgot your password and it enables you to regain access to your file system.

The downside of this method is that booting into Recovery mode is not available on all distributions as it may be disabled. Also in the recovery mode, some distributions may still ask you for your root password before giving you access — so you’ve actually achieved nothing. This brings us to the next two methods, which are generally available on most Linux distributions.

Access through initramfs

This method requires you to be slightly more evil. Basically what you do is change the location of the root file system, initramfs is trying to mount such that it is unable to find it. Consequently, your system ends up stuck in an initramfs CLI terminal, where you not only have root permissions but you can also manually mount the root file system from the correct location and access it.

Reboot your system and once you end up in GRUB2 UI, click e as edit on the OS option, you want to access. This should open up a simple script for you. Find the line that begins with linux and change the value of parameter root=, which tells the kernel where to find the real root file system to mount (just change it to something that does not exist, since the goal is to prevent the kernel from finding it). Now press Ctrl + xand after a minute, a command prompt in the initramfs temporary file system should pop up with root permissions.

This then allows you to do anything that you want on the system since we are talking about accessing the system root file system, we can do the following:

mkdir mnt/rootfs_mountpoint # Create mountpoint for root
mount /dev/<disk-X> mnt/rootfs_mountpoint # Mount the disk with the file system

You might be satisfied with this method, but we can actually break into the system even easier. Let’s have a look.

Overriding the default init parameter

The last method does not trick the system but just overrides its default parameters. Same as before reboot your PC and open up the file of your OS option by clicking the e button. Then add an additional parameter in the same row as the root parameter resides called init and set it to/bin/bash, like this:

linux ...root=... init=/bin/bash

Then clickCtrl + x, which will boot the system into the bash terminal giving you full control of the system as before.

How to prevent this?

You can mitigate such actions by using SecureBoot but this could potentially be a whole new post, so I won’t go into details.

That’s all for this post, I hope you find it interesting. Follow me for more.

Thanks for reading! 😎 If you enjoyed this article, hit that clap button below 👏

Would mean a lot to me and it helps other people see the story. Say Hello on Linkedin | Twitter

Do you want to start reading exclusive stories on Medium? Use this referral link 🔗

If you liked my post you can buy me a Hot dog 🌭

Are you an enthusiastic Engineer, who lacks the ability to compile compelling and inspiring technical content about it? Hire me on Upwork 🛠️

Checkout the rest of my content on Teodor J. Podobnik, @dorkamotorka and follow me for more, cheers!

From Infosec Writeups: A lot is coming up in the Infosec every day that it’s hard to keep up with. Join our weekly newsletter to get all the latest Infosec trends in the form of 5 articles, 4 Threads, 3 videos, 2 GitHub Repos and tools, and 1 job alert for FREE!

Hacking
Linux
Digital Forensics
Initramfs
Linux Boot Process

--

--

TJ. Podobnik, @dorkamotorka
Level Up Coding
Follow

Written by TJ. Podobnik, @dorkamotorka

1.2K Followers

SRE at Prewave | Part-time Researcher at the University of Ljubljana | Linkedin: https://www.linkedin.com/in/teodor-janez-podobnik/

Follow

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams