Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/bin/bash
- #
- # DISCLAIMER : This technique is presented for educational purposes only and you take full responsibility for all your actions.
- #
- # Title: My Access Recovery Technique using a SSH key on CentOS 6.5
- #
- # Author: Alexandru Cuciureanu
- #
- # Date: 27/May/2014
- #
- # Note: I tested this on CentOS 6.5 x64 only.
- #
- # Concepts: While explaining this, I call a "Linux Client" machine the Linux box where we try to access the "Target Machine" from.
- # The "Target Machine" is the box that we intend to gain access to.
- #
- # Assumptions for the Target Machine: Let's just say that you forgot the root/admin password, the shadow/password files are CRC protected
- # (if the root password is changed or any users added, the applications don't start anymore) and Single User Mode is disabled.
- # To add more on top on this, the SSH server is disabled on start-up.
- #
- # Goal: Basically, the goal is to access the "Target Machine" as root and have access to all the running processes which are
- # running in the background.
- #
- # Description: Placing the RSA public key (generated on the Linux Client machine) into the
- # the Linux Target file system and manipulating the OS configuration including start-up
- # for granting root access.
- #
- # Usage:
- #
- # PART [A]: Steps to be performed on a Linux Client machine
- # (the machine from which you intend to log into the Linux Target machine)
- #
- # 1. Generate the authentication keys with no key passphrase (when it asks for passphare just hit Enter twice):
- # ~# ssh-keygen -t rsa
- # 2. Check if the keys were generated into the ~/.ssh/ folder. You should have two files: id_rsa and id_rsa.pub
- # 3. The content of the id_rsa.pub file must be pasted into the $RSA_PUB_KEY variable of this script. (alternatively if you will
- # want to use id_rsa.pub separately, the script can be modified accordingly. The reason why I chose to use the variable instead of
- # a separate file is to keep this script compact and as simple as possible.
- #
- # PART [B]: Steps to be performed on the Linux Target machine while booted using the CentOS 6.5 x64 into recovery mode.
- #
- # Observation:
- # - It may be useful to enable the Networking while booted into recovery mode for copying the script via "scp".
- #
- # 1. Boot from CentOS 6.5 DVD into recovery mode.
- # 2. Once the CentOS 6.5 DVD recovery mode throws the bash root shell, go to /mnt/sysimage/
- # 3. Copy the script to /mnt/sysimage/tmp/ (I used "scp", but you can choose any other method which would work).
- # 3. Make the script to run on startup: ~# echo "bash /tmp/script_name.sh" >> /mnt/sysimage/etc/rc.local
- # 4. The the execution rights must be set for the script: chmod +x /mnt/sysimage/tmp/script_name.sh
- # 5. Reboot the Target Machine.
- #
- # PART [C]: Authenticating through SSH from the Linux Client machine to Target Machine without root credentials.
- #
- # 1. Go on the Linux Client machine and run the ssh:
- # ~# ssh root@192.168.14.123
- # 2. If you performed all the steps properly, then you should be able to login as root.
- #
- # Output Example:
- #
- # [root@client ~]# ssh root@192.168.14.123
- # Last login: Wed Mar 26 13:42:25 2014 from 192.168.14.122
- # [root@target ~]# whoami
- # root
- #
- ########################################################################################################################
- # result marker
- RESULT=$?
- # insert full path of the authorize key
- AUTH_KEY=/root/.ssh/authorized_keys
- # RSA PUBLIC KEY from Linux Client machine (id_rsa.pub)
- RSA_PUB_KEY="ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuUlIvmVTqviekxjvQEZ7ZTvUjwG89IhaQe2gi4VBd6ufMKQPPM1cVEPWZVd5rWqvxAo2g8eMUXm34/5PkJ/qAkeTpQIMqm5Tp8gbECMVgCehSnKp9nF4ahZY5iiDhjGozYeb/pjt4p0mslvAzSnpw9iZbF5WIFpgmm7ZAxIK2CLhO4bjTv4yo8D9DUIRmPCZfv5IcI8iiMd5dsbrWqoCR3/9CV1wQRwMpMlBN58cTSzOb2/v44bzN+1e8zEzd/Jiw41WT/Z8qCZ21uBJqzZJ1oe12C85WxeLDQ+CsGD4C4vUFoN75ks4ACpT3PI/tW3VoykddNPh0pQ1nP827ckMUw== root@localhost.localdomain"
- # Verify if the authorized_keys file is already created, if not then create an empty one.
- function check_auth_key {
- if [ -e "$AUTH_KEY" ]
- then
- echo "[!] ${AUTH_KEY} exists"
- else
- touch $AUTH_KEY
- if [ $RESULT -eq 0 ]
- then
- echo "[-] empty authorized_keys was created."
- else
- echo "[-] unable to create empty file"
- fi
- fi
- }
- # Check if the ssh key is already inserted into authorized_keys.
- function check_duplicate_injection {
- CHECK_DUP=`grep -Fx "$RSA_PUB_KEY" $AUTH_KEY | wc -l | awk '{print $1}'`
- if [ $RESULT -eq 0 ] && [ -e $AUTH_KEY ]
- then
- if [ $CHECK_DUP -gt 0 ]
- then
- echo "[!] The authorized_keys file is already injected. Bye Bye!"
- exit 0
- fi
- else
- echo "[!] Oops... Something went bad or authorized_keys does not exist."
- fi
- }
- # Insert the ssh key into the authorized_keys file.
- function inject_authorized_keys {
- cat >> $AUTH_KEY <<_EOF_
- $RSA_PUB_KEY
- _EOF_
- if [ $RESULT -eq 0 ]
- then
- echo "[*] the authorized_keys file was successfuly injected."
- else
- echo "[*] Oops... Something went wrong while injecting the authorized_keys file"
- fi
- }
- # Configure the "sshd" to automatically start at start-up.
- function enable_sshd_startup {
- chkconfig sshd on
- if [ $RESULT -eq 0 ]
- then
- echo "[*] sshd is now configured to run on startup."
- else
- echo "[!] Oops... I was unable to make sshd to run on startup. :("
- fi
- }
- # Verify if the "sshd" is already configured to start at start-up.
- function check_sshd_startup {
- SSHD_STARTUP_RUN=`chkconfig --list | grep -E 'sshd.*3:on'`
- if [ "${SSHD_STARTUP_RUN}" ]
- then
- echo "[*] sshd is already configured to run on startup."
- else
- echo "[!] sshd doesn't run at startup. Please wait to reconfigure it..."
- enable_sshd_startup
- fi
- }
- # Check if "sshd" is running. If it's stopped, then will start it.
- function check_sshd {
- SSHD_STAT=`ps -ef | grep '[/]sshd' | awk '{print $2}'`
- if [ "${SSHD_STAT}" ]
- then
- echo "[*] sshd is running on PID $SSHD_STAT"
- else
- echo "[!] ssh is not running. Please wait to start sshd..."
- service sshd start
- if [ $RESULT -eq 0 ]
- then
- echo "[*] sshd is started."
- else
- echo "[!] unable to start sshd. Error: $RESULT"
- fi
- fi
- }
- # Let's roll the magic now
- check_auth_key
- check_duplicate_injection
- check_sshd
- check_sshd_startup
- inject_authorized_keys
- exit
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement