It has been quite a few weeks since my last blog post. I have been very busy with the PWB course from offensive security, as well as the daily grind to put food on the table. But, that’s no excuse!
Hard core *nix enthusiasts will no doubt say “duh” to the knowledge I’m attempting to impart here, but for folks who grew up using Windows as their primary operating system the mysteries of all that is *nix never ceases to amaze!
My intent for this post is to provide several neat methods that can be used when working with *nix systems. I wanted to share this with folks because I think these are very useful. I’ll not only tell you how to create a user who’s privileges mirror root’s, but I’ll tell you how to do it in a non-interactive environment (via two methods). To perform these you already need rootsudo privileges on the system in question. Of course, you must own the system or have permission to muck about with it!
Why would you want to add a root user if you’re already root? There are probably many cases for this, but one I constantly find myself in is during penetration tests. I find myself with a non-interactive root shell on a LinuxUnix system after taking advantage of some exploit. If I want to be able to install packages to the system, (maybe a SOCKS proxy or nmap?) or do anything with much depth I prefer an interactive environment, one where I can actually see what I’m doing and get the full benefit of TTY; namely stdin stdout and stderr. Some companies won’t let you change root’s password (or don’t like it). Also, some distros don’t allow the root account to log in via SSHtelnet (without changing conf files). So how do I get in to the system via ssh or telnet if I can’t change root’s password? Add a user with the same UIDGID as root of course! Sounds easy enough, but it’s tough in a non-interactive environment where any script or program that requires user input doesn’t work as expected. Below we’ll bypass those limitations.
Let’s Do It!
The first method to add a user non interactively is very simple. Add a user to your own system with a password and group membership you want, then copy and echo the lines for that user from your passwd and shadow file into /etc/passwd /etc/shadow on the target system. I’ll show you how to add a user that shares a groupuser id with root in the next section, but a quick note on how: you’ll want to add a user to your system with the same privilegesmemberships as root.
When i created a user called test on my system with a password of “password” this is what that users’ line looked like in my passwdshadow files:
On the system you have non-interactive access on simply do this:
echo 'test:x:0:0::/home/test:/bin/sh' >> /etc/passwd
Note that the second command, echo-ing into the shadow file, is one line but is broken into two do to the pagination of this blog.
The second method is a bit more involved, but can also be usedmodified to script addingchanging users’ passwords non-interactively. This method also demonstrates usong the python crypt lib and is a good way to learn some *nix administration.
For systems that support useradd (not adduser) command do the following:
useradd username -o -u 0 -g 0
The -o switch allows multiple users to have the same uidguid (0 is root). The user will have no password at the moment. In normal operation you’d simply issue the passwd command, but this will not work with a non interactive shell. Assuming you have access to a system with python installed (and since the system you’re logging in from is backtrack 4 R1 I know it’s got python!) simply enter python and hit enter.
Now you’re at the “>>>” prompt. Type in import crypt; print and hit enter. Next type crypt.crypt(“<password>”,”<salt>”), where “password” is the password you want to assign to your user and “salt” is the salt value you’ll use in encryption.
The output you’ll receive will be the encrypted password. Copy it down.
Now type usermod -p “encrypted password” username and hit enter. This assigns you’re new user a password. Now you can ssh in and have full interactive root access to the system, and root’s password is unchanged.
For systems that support the pw command (FreeBSD for example) the steps are similar but the commands are a tad different. I fooled around a bit and found a working set of commands.
pw useradd -o -u 0 -g 0 -n username
The above adds the user with no password. The steps are the same for generating the encrypted password, so use python and crypt from above and copy the output.
echo encrypted_password | pw usermod -n usename -h 0
The above command assigns the password to the user. Now, just as before, you have an account with root privileges but the system’s root account is unchanged.
You may ask yourself, “why would i choose the second method rather than the first, simple echo method?” In most cases you’ll find the first method will work just fine. But, the second method may be helpful if you’re experimenting with scripting user addmodify actions or in some strange instance when you don’t have the ability to echo commands into the passwdshadow files. I’ve actually seen some cases where certain file integrity enforcementmonitoring applications on Linux won’t allow you to write directly to the passwdshadow files without using special scripts or via an approved workflow.
I hope you find this useful. Good luck and happy pen testing!