Guest User

My Linux Access Recovery Technique on Linux CentOS

a guest
May 27th, 2014
95
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/bin/bash
  2. #
  3. # DISCLAIMER : This technique is presented for educational purposes only and you take full responsibility for all your actions.
  4. #
  5. # Title: My Access Recovery Technique using a SSH key on CentOS 6.5
  6. #
  7. # Author: Alexandru Cuciureanu
  8. #
  9. # Date: 27/May/2014
  10. #
  11. # Note: I tested this on CentOS 6.5 x64 only.
  12. #
  13. # Concepts: While explaining this, I call a "Linux Client" machine the Linux box where we try to access the "Target Machine" from.
  14. #           The "Target Machine" is the box that we intend to gain access to.
  15. #
  16. # Assumptions for the Target Machine: Let's just say that you forgot the root/admin password, the shadow/password files are CRC protected
  17. #              (if the root password is changed or any users added, the applications don't start anymore) and Single User Mode is disabled.
  18. #              To add more on top on this, the SSH server is disabled on start-up.
  19. #
  20. # Goal: Basically, the goal is to access the "Target Machine" as root and have access to all the running processes which are
  21. #       running in the background.
  22. #
  23. # Description: Placing the RSA public key (generated on the Linux Client machine) into the
  24. #              the Linux Target file system and manipulating the OS configuration including start-up
  25. #              for granting root access.
  26. #
  27. # Usage:
  28. #
  29. # PART [A]: Steps to be performed on a Linux Client machine
  30. #           (the machine from which you intend to log into the Linux Target machine)
  31. #
  32. #   1. Generate the authentication keys with no key passphrase (when it asks for passphare just hit Enter twice):
  33. #      ~# ssh-keygen -t rsa
  34. #   2. Check if the keys were generated into the ~/.ssh/ folder. You should have two files: id_rsa and id_rsa.pub
  35. #   3. The content of the id_rsa.pub file must be pasted into the $RSA_PUB_KEY variable of this script. (alternatively if you will
  36. #      want to use id_rsa.pub separately, the script can be modified accordingly. The reason why I chose to use the variable instead of
  37. #      a separate file is to keep this script compact and as simple as possible.
  38. #
  39. # PART [B]: Steps to be performed on the Linux Target machine while booted using the CentOS 6.5 x64 into recovery mode.
  40. #
  41. #   Observation:
  42. #   - It may be useful to enable the Networking while booted into recovery mode for copying the script via "scp".
  43. #
  44. #   1. Boot from CentOS 6.5 DVD into recovery mode.
  45. #   2. Once the CentOS 6.5 DVD recovery mode throws the bash root shell, go to /mnt/sysimage/
  46. #   3. Copy the script to /mnt/sysimage/tmp/ (I used "scp", but you can choose any other method which would work).
  47. #   3. Make the script to run on startup: ~# echo "bash /tmp/script_name.sh" >> /mnt/sysimage/etc/rc.local
  48. #   4. The the execution rights must be set for the script: chmod +x /mnt/sysimage/tmp/script_name.sh
  49. #   5. Reboot the Target Machine.
  50. #
  51. # PART [C]: Authenticating through SSH from the Linux Client machine to Target Machine without root credentials.
  52. #
  53. #   1. Go on the Linux Client machine and run the ssh:
  54. #      ~# ssh root@192.168.14.123
  55. #   2. If you performed all the steps properly, then you should be able to login as root.
  56. #
  57. # Output Example:
  58. #
  59. #   [root@client ~]# ssh root@192.168.14.123
  60. #   Last login: Wed Mar 26 13:42:25 2014 from 192.168.14.122
  61. #   [root@target ~]# whoami
  62. #   root
  63. #
  64. ########################################################################################################################
  65.  
  66.  
  67. # result marker
  68. RESULT=$?
  69. # insert full path of the authorize key
  70. AUTH_KEY=/root/.ssh/authorized_keys
  71. # RSA PUBLIC KEY from Linux Client machine (id_rsa.pub)
  72. RSA_PUB_KEY="ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuUlIvmVTqviekxjvQEZ7ZTvUjwG89IhaQe2gi4VBd6ufMKQPPM1cVEPWZVd5rWqvxAo2g8eMUXm34/5PkJ/qAkeTpQIMqm5Tp8gbECMVgCehSnKp9nF4ahZY5iiDhjGozYeb/pjt4p0mslvAzSnpw9iZbF5WIFpgmm7ZAxIK2CLhO4bjTv4yo8D9DUIRmPCZfv5IcI8iiMd5dsbrWqoCR3/9CV1wQRwMpMlBN58cTSzOb2/v44bzN+1e8zEzd/Jiw41WT/Z8qCZ21uBJqzZJ1oe12C85WxeLDQ+CsGD4C4vUFoN75ks4ACpT3PI/tW3VoykddNPh0pQ1nP827ckMUw== root@localhost.localdomain"
  73.  
  74.  
  75. # Verify if the authorized_keys file is already created, if not then create an empty one.
  76. function check_auth_key {
  77. if [ -e "$AUTH_KEY" ]
  78. then
  79.    echo "[!] ${AUTH_KEY} exists"
  80. else
  81.   touch $AUTH_KEY
  82.   if [ $RESULT -eq 0 ]
  83.   then
  84.     echo "[-] empty authorized_keys was created."
  85.   else
  86.     echo "[-] unable to create empty file"
  87.   fi
  88. fi
  89. }
  90.  
  91. # Check if the ssh key is already inserted into authorized_keys.
  92. function check_duplicate_injection {
  93. CHECK_DUP=`grep -Fx "$RSA_PUB_KEY" $AUTH_KEY | wc -l | awk '{print $1}'`
  94. if [ $RESULT -eq 0 ] && [ -e $AUTH_KEY ]
  95.   then
  96.     if [ $CHECK_DUP -gt 0 ]
  97.     then
  98.       echo "[!] The authorized_keys file is already injected. Bye Bye!"
  99.       exit 0
  100.     fi
  101.   else
  102.     echo "[!] Oops... Something went bad or authorized_keys does not exist."
  103. fi
  104. }
  105.  
  106. # Insert the ssh key into the authorized_keys file.
  107. function inject_authorized_keys {
  108. cat >> $AUTH_KEY <<_EOF_
  109. $RSA_PUB_KEY
  110. _EOF_
  111. if [ $RESULT -eq 0 ]
  112.   then
  113.     echo "[*] the authorized_keys file was successfuly injected."
  114.   else
  115.     echo "[*] Oops... Something went wrong while injecting the authorized_keys file"
  116. fi
  117. }
  118.  
  119. # Configure the "sshd" to automatically start at start-up.
  120. function enable_sshd_startup {
  121. chkconfig sshd on
  122. if [ $RESULT -eq 0 ]
  123.   then
  124.     echo "[*] sshd is now configured to run on startup."
  125.   else
  126.     echo "[!] Oops... I was unable to make sshd to run on startup. :("
  127. fi
  128. }
  129.  
  130. # Verify if the "sshd" is already configured to start at start-up.
  131. function check_sshd_startup {
  132. SSHD_STARTUP_RUN=`chkconfig --list | grep -E 'sshd.*3:on'`
  133. if [ "${SSHD_STARTUP_RUN}" ]
  134.   then
  135.     echo "[*] sshd is already configured to run on startup."
  136.   else
  137.     echo "[!] sshd doesn't run at startup. Please wait to reconfigure it..."
  138.     enable_sshd_startup  
  139. fi
  140. }
  141.  
  142. # Check if "sshd" is running. If it's stopped, then will start it.
  143. function check_sshd {
  144. SSHD_STAT=`ps -ef | grep '[/]sshd' | awk '{print $2}'`
  145. if [ "${SSHD_STAT}" ]
  146.   then
  147.      echo "[*] sshd is running on PID $SSHD_STAT"
  148.   else
  149.      echo "[!] ssh is not running. Please wait to start sshd..."
  150.      service sshd start
  151.      if [ $RESULT -eq 0 ]
  152.        then
  153.          echo "[*] sshd is started."
  154.        else
  155.          echo "[!] unable to start sshd. Error: $RESULT"
  156.      fi
  157. fi
  158. }
  159.  
  160. # Let's roll the magic now
  161.  
  162. check_auth_key
  163. check_duplicate_injection
  164. check_sshd
  165. check_sshd_startup
  166. inject_authorized_keys
  167. exit
RAW Paste Data