Fast root / Administrator on desktop OS with physical access / no encryption
During your travels, you might not always have a bootable USB stick with you (or the BIOS boot order is secure and BIOS is protected) but still want to privilege escalate on boxes you encounter 👻. If :
1. you meet physically a machine 💏 (or have similar access like virtual Console, KVM or iLO) and;
2. this machine disk is not protected by encryption ;
then you can quickly achieve highest (userland) privileges with the following steps.
NB: even if the environment you receive is located outside of the real OS disks (such as repair mode drive / partition) you can still modify the OS image from there and achieve higher privileges because the real OS drive is not protected by encryption. So in a nutshell, this article might be called "why disk encryption is important?" as well.
Since Windows 8, the operating system is booting so fast that you cannot type any key (previously it was Shift + F8 on Win7) to enter Repair mode while booting ✋. The solution is to reboot two times the box (hit reboot when you see the Windows logo). Windows will go into repair mode automatically after that (two unsuccessful boots 👯). From there click on Advanced Options then Troubleshoot then System Image Repair then Driver install, and Add a driver. Its really just a trick to open an Explorer.exe windows... 👹
On this Explorer windows, browse the OS main drive (usually D:\) and replace sethc.exe with cmd.exe (we are replacing the sticky keys binary with a command prompt). Then reboot the OS. On the lock screen, hit five times the Shift keys: it will open the replaced sethc.exe, now command prompt, with privileges of NtAuthority/System.
From there you can: change current administrator password or add an administrator or dump the existing credentials... You are limited only by your imagination 💆.
Reboot and just hold Command + R while the OS is booting. You will see a slower loading bar with an Apple logo (its usually quite slow, so be patient 🙇). Once booted, go to Utilities and open a Terminal, you will have root privileges.
From there you can: change current administrator password or add an administrator or dump the existing credentials... You are limited only by your imagination 💆.
Reboot the OS. If you don't see the grub menu while booting (grub time might be set to 0), reboot and hold Shift key to see it. Otherwise, when you see the grub menu : go to the image you want to boot into (first option usually) then edit the grub line by hitting "e" key. Append init=/bin/sh to the Linux line and also modify "ro" to "rw" (read only to read write 💀). Now press Ctrl - X to boot with these parameters.
You will be dropped to a shell with root privileges.
From there you can: change current administrator password or add an administrator or dump the existing credentials... You are limited only by your imagination 💆.
Courtesy of https://www.cyberciti.biz/tips/howto-freebsd-reset-recover-root-password.html
Restart the FreeBSD OS and press Enter key at boot loader. At the Welcome to FreeBSD! boot menu press Spacebar key to pause default booting. Type number 4 key to boot into single user mode.
At the prompt from system
From there you can: change current administrator password or add an administrator or dump the existing credentials... You are limited only by your imagination 💆.
That's it ! Hope this is useful for you.
1. you meet physically a machine 💏 (or have similar access like virtual Console, KVM or iLO) and;
2. this machine disk is not protected by encryption ;
then you can quickly achieve highest (userland) privileges with the following steps.
NB: even if the environment you receive is located outside of the real OS disks (such as repair mode drive / partition) you can still modify the OS image from there and achieve higher privileges because the real OS drive is not protected by encryption. So in a nutshell, this article might be called "why disk encryption is important?" as well.
1. Win OS
Tested OS : Windows 8 / 8.1 / 10Since Windows 8, the operating system is booting so fast that you cannot type any key (previously it was Shift + F8 on Win7) to enter Repair mode while booting ✋. The solution is to reboot two times the box (hit reboot when you see the Windows logo). Windows will go into repair mode automatically after that (two unsuccessful boots 👯). From there click on Advanced Options then Troubleshoot then System Image Repair then Driver install, and Add a driver. Its really just a trick to open an Explorer.exe windows... 👹
On this Explorer windows, browse the OS main drive (usually D:\) and replace sethc.exe with cmd.exe (we are replacing the sticky keys binary with a command prompt). Then reboot the OS. On the lock screen, hit five times the Shift keys: it will open the replaced sethc.exe, now command prompt, with privileges of NtAuthority/System.
From there you can: change current administrator password or add an administrator or dump the existing credentials... You are limited only by your imagination 💆.
2. Mac OS
Tested OS: Mac OSX 10.11 El CapitanReboot and just hold Command + R while the OS is booting. You will see a slower loading bar with an Apple logo (its usually quite slow, so be patient 🙇). Once booted, go to Utilities and open a Terminal, you will have root privileges.
From there you can: change current administrator password or add an administrator or dump the existing credentials... You are limited only by your imagination 💆.
3. Linux OS
Tested OS: Debian 7 / 8 with grubReboot the OS. If you don't see the grub menu while booting (grub time might be set to 0), reboot and hold Shift key to see it. Otherwise, when you see the grub menu : go to the image you want to boot into (first option usually) then edit the grub line by hitting "e" key. Append init=/bin/sh to the Linux line and also modify "ro" to "rw" (read only to read write 💀). Now press Ctrl - X to boot with these parameters.
You will be dropped to a shell with root privileges.
From there you can: change current administrator password or add an administrator or dump the existing credentials... You are limited only by your imagination 💆.
4. FreeBSD
Tested OS: FreeBSD 9Courtesy of https://www.cyberciti.biz/tips/howto-freebsd-reset-recover-root-password.html
Restart the FreeBSD OS and press Enter key at boot loader. At the Welcome to FreeBSD! boot menu press Spacebar key to pause default booting. Type number 4 key to boot into single user mode.
At the prompt from system
"When prompted Enter full pathname of shell or RETURN for /bin/sh:" Press Enter key to boot into a single user mode. Next, you will be immediately dropped into shell with root privileges.From there you can: change current administrator password or add an administrator or dump the existing credentials... You are limited only by your imagination 💆.
That's it ! Hope this is useful for you.
Comments
Post a Comment