My Linux Access Recovery Technique on Linux CentOS

1. #!/bin/bash
2. #
3. # DISCLAIMER : This technique is presented for educational purposes only and you take full responsibility for all your actions.
4. #
5. # Title: My Access Recovery Technique using a SSH key on CentOS 6.5
6. #
7. # Author: Alexandru Cuciureanu
8. #
9. # Date: 27/May/2014
10. #
11. # Note: I tested this on CentOS 6.5 x64 only.
12. #
13. # Concepts: While explaining this, I call a "Linux Client" machine the Linux box where we try to access the "Target Machine" from.
14. #           The "Target Machine" is the box that we intend to gain access to.
15. #
16. # Assumptions for the Target Machine: Let's just say that you forgot the root/admin password, the shadow/password files are CRC protected
17. #              (if the root password is changed or any users added, the applications don't start anymore) and Single User Mode is disabled.
18. #              To add more on top on this, the SSH server is disabled on start-up.
19. #
20. # Goal: Basically, the goal is to access the "Target Machine" as root and have access to all the running processes which are
21. #       running in the background.
22. #
23. # Description: Placing the RSA public key (generated on the Linux Client machine) into the
24. #              the Linux Target file system and manipulating the OS configuration including start-up
25. #              for granting root access.
26. #
27. # Usage:
28. #
29. # PART [A]: Steps to be performed on a Linux Client machine
30. #           (the machine from which you intend to log into the Linux Target machine)
31. #
32. #   1. Generate the authentication keys with no key passphrase (when it asks for passphare just hit Enter twice):
33. #      ~# ssh-keygen -t rsa
34. #   2. Check if the keys were generated into the ~/.ssh/ folder. You should have two files: id_rsa and id_rsa.pub
35. #   3. The content of the id_rsa.pub file must be pasted into the $RSA_PUB_KEY variable of this script. (alternatively if you will
36. #      want to use id_rsa.pub separately, the script can be modified accordingly. The reason why I chose to use the variable instead of
37. #      a separate file is to keep this script compact and as simple as possible.
38. #
39. # PART [B]: Steps to be performed on the Linux Target machine while booted using the CentOS 6.5 x64 into recovery mode.
40. #
41. #   Observation:
42. #   - It may be useful to enable the Networking while booted into recovery mode for copying the script via "scp".
43. #
44. #   1. Boot from CentOS 6.5 DVD into recovery mode.
45. #   2. Once the CentOS 6.5 DVD recovery mode throws the bash root shell, go to /mnt/sysimage/
46. #   3. Copy the script to /mnt/sysimage/tmp/ (I used "scp", but you can choose any other method which would work).
47. #   3. Make the script to run on startup: ~# echo "bash /tmp/script_name.sh" >> /mnt/sysimage/etc/rc.local
48. #   4. The the execution rights must be set for the script: chmod +x /mnt/sysimage/tmp/script_name.sh
49. #   5. Reboot the Target Machine.
50. #
51. # PART [C]: Authenticating through SSH from the Linux Client machine to Target Machine without root credentials.
52. #
53. #   1. Go on the Linux Client machine and run the ssh:
54. #      ~# ssh root@192.168.14.123
55. #   2. If you performed all the steps properly, then you should be able to login as root.
56. #
57. # Output Example:
58. #
59. #   [root@client ~]# ssh root@192.168.14.123
60. #   Last login: Wed Mar 26 13:42:25 2014 from 192.168.14.122
61. #   [root@target ~]# whoami
62. #   root
63. #
64. ########################################################################################################################
65.  
66.  
67. # result marker
68. RESULT=$?
69. # insert full path of the authorize key
70. AUTH_KEY=/root/.ssh/authorized_keys
71. # RSA PUBLIC KEY from Linux Client machine (id_rsa.pub)
72. RSA_PUB_KEY="ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuUlIvmVTqviekxjvQEZ7ZTvUjwG89IhaQe2gi4VBd6ufMKQPPM1cVEPWZVd5rWqvxAo2g8eMUXm34/5PkJ/qAkeTpQIMqm5Tp8gbECMVgCehSnKp9nF4ahZY5iiDhjGozYeb/pjt4p0mslvAzSnpw9iZbF5WIFpgmm7ZAxIK2CLhO4bjTv4yo8D9DUIRmPCZfv5IcI8iiMd5dsbrWqoCR3/9CV1wQRwMpMlBN58cTSzOb2/v44bzN+1e8zEzd/Jiw41WT/Z8qCZ21uBJqzZJ1oe12C85WxeLDQ+CsGD4C4vUFoN75ks4ACpT3PI/tW3VoykddNPh0pQ1nP827ckMUw== root@localhost.localdomain"
73.  
74.  
75. # Verify if the authorized_keys file is already created, if not then create an empty one.
76. function check_auth_key {
77. if [ -e "$AUTH_KEY" ]
78. then
79.    echo "[!] ${AUTH_KEY} exists"
80. else
81.   touch $AUTH_KEY
82.   if [ $RESULT -eq 0 ]
83.   then
84.     echo "[-] empty authorized_keys was created."
85.   else
86.     echo "[-] unable to create empty file"
87.   fi
88. fi
89. }
90.  
91. # Check if the ssh key is already inserted into authorized_keys.
92. function check_duplicate_injection {
93. CHECK_DUP=`grep -Fx "$RSA_PUB_KEY" $AUTH_KEY | wc -l | awk '{print $1}'`
94. if [ $RESULT -eq 0 ] && [ -e $AUTH_KEY ]
95.   then
96.     if [ $CHECK_DUP -gt 0 ]
97.     then
98.       echo "[!] The authorized_keys file is already injected. Bye Bye!"
99.       exit 0
100.     fi
101.   else
102.     echo "[!] Oops... Something went bad or authorized_keys does not exist."
103. fi
104. }
105.  
106. # Insert the ssh key into the authorized_keys file.
107. function inject_authorized_keys {
108. cat >> $AUTH_KEY <<_EOF_
109. $RSA_PUB_KEY
110. _EOF_
111. if [ $RESULT -eq 0 ]
112.   then
113.     echo "[*] the authorized_keys file was successfuly injected."
114.   else
115.     echo "[*] Oops... Something went wrong while injecting the authorized_keys file"
116. fi
117. }
118.  
119. # Configure the "sshd" to automatically start at start-up.
120. function enable_sshd_startup {
121. chkconfig sshd on
122. if [ $RESULT -eq 0 ]
123.   then
124.     echo "[*] sshd is now configured to run on startup."
125.   else
126.     echo "[!] Oops... I was unable to make sshd to run on startup. :("
127. fi
128. }
129.  
130. # Verify if the "sshd" is already configured to start at start-up.
131. function check_sshd_startup {
132. SSHD_STARTUP_RUN=`chkconfig --list | grep -E 'sshd.*3:on'`
133. if [ "${SSHD_STARTUP_RUN}" ]
134.   then
135.     echo "[*] sshd is already configured to run on startup."
136.   else
137.     echo "[!] sshd doesn't run at startup. Please wait to reconfigure it..."
138.     enable_sshd_startup  
139. fi
140. }
141.  
142. # Check if "sshd" is running. If it's stopped, then will start it.
143. function check_sshd {
144. SSHD_STAT=`ps -ef | grep '[/]sshd' | awk '{print $2}'`
145. if [ "${SSHD_STAT}" ]
146.   then
147.      echo "[*] sshd is running on PID $SSHD_STAT"
148.   else
149.      echo "[!] ssh is not running. Please wait to start sshd..."
150.      service sshd start
151.      if [ $RESULT -eq 0 ]
152.        then
153.          echo "[*] sshd is started."
154.        else
155.          echo "[!] unable to start sshd. Error: $RESULT"
156.      fi
157. fi
158. }
159.  
160. # Let's roll the magic now
161.  
162. check_auth_key
163. check_duplicate_injection
164. check_sshd
165. check_sshd_startup
166. inject_authorized_keys
167. exit