SHARE
TWEET

My Linux Access Recovery Technique on Linux CentOS

a guest May 27th, 2014 47 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/bin/bash
  2. #
  3. # DISCLAIMER : This technique is presented for educational purposes only and you take full responsibility for all your actions.
  4. #
  5. # Title: My Access Recovery Technique using a SSH key on CentOS 6.5
  6. #
  7. # Author: Alexandru Cuciureanu
  8. #
  9. # Date: 27/May/2014
  10. #
  11. # Note: I tested this on CentOS 6.5 x64 only.
  12. #
  13. # Concepts: While explaining this, I call a "Linux Client" machine the Linux box where we try to access the "Target Machine" from.
  14. #           The "Target Machine" is the box that we intend to gain access to.
  15. #
  16. # Assumptions for the Target Machine: Let's just say that you forgot the root/admin password, the shadow/password files are CRC protected
  17. #                          (if the root password is changed or any users added, the applications don't start anymore) and Single User Mode is disabled.
  18. #                          To add more on top on this, the SSH server is disabled on start-up.
  19. #
  20. # Goal: Basically, the goal is to access the "Target Machine" as root and have access to all the running processes which are
  21. #               running in the background.
  22. #
  23. # Description: Placing the RSA public key (generated on the Linux Client machine) into the
  24. #              the Linux Target file system and manipulating the OS configuration including start-up
  25. #                  for granting root access.
  26. #
  27. # Usage:
  28. #
  29. # PART [A]: Steps to be performed on a Linux Client machine
  30. #           (the machine from which you intend to log into the Linux Target machine)
  31. #
  32. #       1. Generate the authentication keys with no key passphrase (when it asks for passphare just hit Enter twice):
  33. #          ~# ssh-keygen -t rsa
  34. #       2. Check if the keys were generated into the ~/.ssh/ folder. You should have two files: id_rsa and id_rsa.pub
  35. #       3. The content of the id_rsa.pub file must be pasted into the $RSA_PUB_KEY variable of this script. (alternatively if you will
  36. #          want to use id_rsa.pub separately, the script can be modified accordingly. The reason why I chose to use the variable instead of
  37. #          a separate file is to keep this script compact and as simple as possible.
  38. #
  39. # PART [B]: Steps to be performed on the Linux Target machine while booted using the CentOS 6.5 x64 into recovery mode.
  40. #
  41. #   Observation:
  42. #       - It may be useful to enable the Networking while booted into recovery mode for copying the script via "scp".
  43. #
  44. #   1. Boot from CentOS 6.5 DVD into recovery mode.
  45. #       2. Once the CentOS 6.5 DVD recovery mode throws the bash root shell, go to /mnt/sysimage/
  46. #   3. Copy the script to /mnt/sysimage/tmp/ (I used "scp", but you can choose any other method which would work).
  47. #   3. Make the script to run on startup: ~# echo "bash /tmp/script_name.sh" >> /mnt/sysimage/etc/rc.local
  48. #       4. The the execution rights must be set for the script: chmod +x /mnt/sysimage/tmp/script_name.sh
  49. #       5. Reboot the Target Machine.
  50. #
  51. # PART [C]: Authenticating through SSH from the Linux Client machine to Target Machine without root credentials.
  52. #
  53. #   1. Go on the Linux Client machine and run the ssh:
  54. #          ~# ssh root@192.168.14.123
  55. #       2. If you performed all the steps properly, then you should be able to login as root.
  56. #
  57. # Output Example:
  58. #
  59. #       [root@client ~]# ssh root@192.168.14.123
  60. #       Last login: Wed Mar 26 13:42:25 2014 from 192.168.14.122
  61. #       [root@target ~]# whoami
  62. #       root
  63. #
  64. ########################################################################################################################
  65.  
  66.  
  67. # result marker
  68. RESULT=$?
  69. # insert full path of the authorize key
  70. AUTH_KEY=/root/.ssh/authorized_keys
  71. # RSA PUBLIC KEY from Linux Client machine (id_rsa.pub)
  72. RSA_PUB_KEY="ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuUlIvmVTqviekxjvQEZ7ZTvUjwG89IhaQe2gi4VBd6ufMKQPPM1cVEPWZVd5rWqvxAo2g8eMUXm34/5PkJ/qAkeTpQIMqm5Tp8gbECMVgCehSnKp9nF4ahZY5iiDhjGozYeb/pjt4p0mslvAzSnpw9iZbF5WIFpgmm7ZAxIK2CLhO4bjTv4yo8D9DUIRmPCZfv5IcI8iiMd5dsbrWqoCR3/9CV1wQRwMpMlBN58cTSzOb2/v44bzN+1e8zEzd/Jiw41WT/Z8qCZ21uBJqzZJ1oe12C85WxeLDQ+CsGD4C4vUFoN75ks4ACpT3PI/tW3VoykddNPh0pQ1nP827ckMUw== root@localhost.localdomain"
  73.  
  74.  
  75. # Verify if the authorized_keys file is already created, if not then create an empty one.
  76. function check_auth_key {
  77. if [ -e "$AUTH_KEY" ]
  78. then
  79.    echo "[!] ${AUTH_KEY} exists"
  80. else
  81.   touch $AUTH_KEY
  82.   if [ $RESULT -eq 0 ]
  83.   then
  84.     echo "[-] empty authorized_keys was created."
  85.   else
  86.     echo "[-] unable to create empty file"
  87.   fi
  88. fi
  89. }
  90.  
  91. # Check if the ssh key is already inserted into authorized_keys.
  92. function check_duplicate_injection {
  93. CHECK_DUP=`grep -Fx "$RSA_PUB_KEY" $AUTH_KEY | wc -l | awk '{print $1}'`
  94. if [ $RESULT -eq 0 ] && [ -e $AUTH_KEY ]
  95.   then
  96.     if [ $CHECK_DUP -gt 0 ]
  97.     then
  98.       echo "[!] The authorized_keys file is already injected. Bye Bye!"
  99.       exit 0
  100.     fi
  101.   else
  102.     echo "[!] Oops... Something went bad or authorized_keys does not exist."
  103. fi
  104. }
  105.  
  106. # Insert the ssh key into the authorized_keys file.
  107. function inject_authorized_keys {
  108. cat >> $AUTH_KEY <<_EOF_
  109. $RSA_PUB_KEY
  110. _EOF_
  111. if [ $RESULT -eq 0 ]
  112.   then
  113.     echo "[*] the authorized_keys file was successfuly injected."
  114.   else
  115.     echo "[*] Oops... Something went wrong while injecting the authorized_keys file"
  116. fi
  117. }
  118.  
  119. # Configure the "sshd" to automatically start at start-up.
  120. function enable_sshd_startup {
  121. chkconfig sshd on
  122. if [ $RESULT -eq 0 ]
  123.   then
  124.     echo "[*] sshd is now configured to run on startup."
  125.   else
  126.     echo "[!] Oops... I was unable to make sshd to run on startup. :("
  127. fi
  128. }
  129.  
  130. # Verify if the "sshd" is already configured to start at start-up.
  131. function check_sshd_startup {
  132. SSHD_STARTUP_RUN=`chkconfig --list | grep -E 'sshd.*3:on'`
  133. if [ "${SSHD_STARTUP_RUN}" ]
  134.   then
  135.     echo "[*] sshd is already configured to run on startup."
  136.   else
  137.     echo "[!] sshd doesn't run at startup. Please wait to reconfigure it..."
  138.     enable_sshd_startup  
  139. fi
  140. }
  141.  
  142. # Check if "sshd" is running. If it's stopped, then will start it.
  143. function check_sshd {
  144. SSHD_STAT=`ps -ef | grep '[/]sshd' | awk '{print $2}'`
  145. if [ "${SSHD_STAT}" ]
  146.   then
  147.      echo "[*] sshd is running on PID $SSHD_STAT"
  148.   else
  149.      echo "[!] ssh is not running. Please wait to start sshd..."
  150.      service sshd start
  151.      if [ $RESULT -eq 0 ]
  152.        then
  153.          echo "[*] sshd is started."
  154.        else
  155.          echo "[!] unable to start sshd. Error: $RESULT"
  156.      fi
  157. fi
  158. }
  159.  
  160. # Let's roll the magic now
  161.  
  162. check_auth_key
  163. check_duplicate_injection
  164. check_sshd
  165. check_sshd_startup
  166. inject_authorized_keys
  167. exit
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top