Have you ever forgotten your root password and thought about ways to recover it? It is possible to change it but that also means it’s possible to hack your computer. In this post we take a look how to use a live USB and chroot to gain root access.
Table of content:
All modern distros comes with a live version, where you don’t need to install the OS but are able to run Linux directly from CD/USB. This is perfect when you need to emergency repair your main OS. However if you are able to boot from another device you can also access the files on any available hd. This can be used to change password on an installed Linux, for good or bad.
I was surprised how easy this was to boot up from a live USB and then just use chroot to be able to use passwd to change the and from now on I will make sure to protect my machine better. Is it possilbe to break a VM with the same method? Of course! Let’s get started.
0 – Installing the tools
First install a guest that you want to break into. See previous post Let’s call it Guest A. In this guide I’ll use Lubuntu* and like for most Ubuntu clones it means there’s no root password, but all we need is a admin password. If you use another distro you probably just want to change the root password. Don’t add any encryption or UEFI support (we talk more about this later).
* I found out that Lubuntu got problem to add encryption, so you probably don’t want to use it. A good alternative is Xubuntu.
Next we want a Linux live USB. You can skip this step and boot from the Lubuntu CD, our VM will always have a CD drive but some real world machines doesn’t these days so it’s a good exercise to practice with a virtual USB. An option to create a virtual USB is that you use a real USB and add a filter for it under USB settings.
Add a new HD to Guest A.
Go to Storage and click on the hd with a green plus. Create a 8 Gb drive and check the “solid state drive” and “hot pluggable” check boxes. I have named it liveusb.vdi as seen below.
Keep the live CD and boot up (either live or Guest A). Use lsblk to check what hd’s we have:
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 20,5G 0 disk
├─sda1 8:1 0 16,5G 0 part /
├─sda2 8:2 0 1K 0 part
└─sda5 8:5 0 4G 0 part [SWAP]
sdb 8:16 0 8G 0 disk
sr0 11:0 1 744M 0 rom /media/zabbat/Lubuntu 15.10 amd64
As we can see, sda is for Guest A , sdb is our new hd for the live usb and sro contains the Live CD. Let’s copy the CD to sdb using dd. I know dd is synonym for disk destroy, but that’s why I like VM, the damage is at least restrained to your guest OS.
#dd if=/dev/sro of=/dev/sdb
lsblk should now show sdb as:
sdb 8:16 0 8G 0 disk
├─sdb1 8:17 0 744M 0 part
└─sdb2 8:18 0 2,2M 0 part
1 – Booting Up
Now let’s boot from the live USB. There’s two ways you can make your system boot from it. You can either mash F12 at VM start up and select the drive. Other wise you can assign the hd to the lowest SATA port number of your hard drives from the storage menu. In the real world boot menu might be locked, but in virtualbox it’s not possible to do so.
Start the live USB without installing, then open a terminal.
Mount Guest A’s root partition to /mnt. In our case you could see that only sda1 can possible be a root partition, sda2 is too small and probably reserved for boot record and sda5 is 4 GB swap.
#mount /dev/sda1 /mnt
then let’s change the fs root:
Now you have root privilege in Guest A’s file system.
In ubuntu clones you normally don’t have a root user. To find the user name you want to change password for check either /etc/passwd or /etc/group. Let’s open group and see who’s in admin or sudo group.
my file says something like:
So let’s change zabbat’s password to 123456:
We’re done! Exit from chroot and reboot. Remember to change back the boot order.
When Guest A promts to log in, select zabbat as user and 123456 as password.
2 – Protection
Since you are mounting the file system you can protect it by encrypting your drive. It is not enough to choose “encrypt my home folder” that is a popular choice for ubuntu clones. Your home folder is quite unintresting when it comes to getting your password. Depending on your distro and partition set up it varys what folders you need to encrypt. Don’t take any risk, encrypt everything, since chroot will make it possible to read and edit sensitive files. For an example, one could go to your /etc/passwd and change so that root do not require any password at all.
A note, while I was creating an ecrypted installation of Lubuntu I noticed that there’s a bug that stops you from encrypting. I tried Xubuntu instead as seen above and it worked.
If some one has physical access to your computer it is incredible easy to hack it. If you have a laptop there really is no excuse for not encrypting your drives, if you loose it without encryption you can assume they break into it.
For VM there’s no need to have physical access to the computer. Someone could SSH into the host and break your guest OS. All they need is permission to edit the VM so that it boots from a live CD/USB, or perhaps from the network.