I am working on an exploit for a security course. The object is to obtain a root shell in a linux virtual machine. So far, I can write to /etc/passwd and change root's password to an arbitrary string.
Now, I want to use su to get the root shell. Since my exploit has to be automated, it can't prompt for a password, and the vm doesn't have expect installed. Does anybody have any idea how I can pass the password to the su command? Or is there a better way?
The best ways to automate this type of input, is using expect or better pexpect.
most servers come with python, at least with a modern distribution.
First off you said your VM does not have expect installed? I'm not sure why that matters. Is there any reason why you cannot install/execute something, under your local account?
Next consideration, why must you even use passwd??? You can also change a password by replacing the hash specified in /etc/shadow. You obviously would need to correctly pregenerate a hash first, but as long as you use a supported one it should work as expected. Now how you would script such an action, that's an exercise for you to work out.
I also want to mention, passwd does not read it's input from STDIN. If i'm not mistaken, it reads from a tty. So no fancy combo of just echo and sleep would work. However it's possible using a HEREDOC, but assumes system is sufficiently responsive. You may be able to break it up and sleep between entires. I just tested this, it worked on my Ubuntu workstation.
#!/bin/bash
passwd root <<'EOF'
newpassword
newpassword
EOF
Your exploit could also write to the groups file and make the current user part of the 'wheel' group (or whatever group can run sudo commands w/o a password). Then you'll be able to sudo su root (or any other user) w/o a password.
Running visudo should give you some direction on the setup of the 'wheel' group on your machine.
To clarify: once a user becomes part of the wheel group, they can run sudo commands without needing a password.
