Robert1
Mission Specialist
Mission Specialist
  • 19.9K Views

Crack root password

Jump to solution

Has anyone found a way to crack ROOT....listed on the RHSCA exam objectives?

I have found many videos...but I can not replicate.

I tried using a RHEL 7.5 VM in VirtualBox and VMware and get the same result....

Boots back up and NONE of the passwords work. Its like they all got erased during the process.

Anyone know a fix? Sound familiar?

THanks- R

Labels (1)
0 Kudos
21 Replies
Tracy_Baker
Starfighter Starfighter
Starfighter
  • 10.9K Views

@Robert1 wrote:

when i look at the 134 course book, on page 26, resetting your lost root password...

it has all the same steps except, when you go to change the root password... instead of:

'passwd'  ...2 times, the text says to put in the followoing command:

'echo redhat | passwd --stdin root'


This is interesting. I'm looking at the RH134, chapter 1.3 material right now on Gilmore (Red Hat's content portal for Red Hat Academies). This should be the most current version.

It doesn't mention the --stdin method of setting a password. Even so, there isn't any reason why it won't work. (I teach this method to my scripting students when we write scripts for user management.)

It does say to use passwd root , which would have you enter the password twice. This works fine in my physical lab (RHEL 7.0 -- which, incidentally, is what the RHCSA testing environment is), and on my CentOS 7.6 VM.

In any event, it makes no difference which way you use, as long as the password gets changed.

Program Lead at Arizona's first Red Hat Academy, est. 2005
Estrella Mountain Community College
0 Kudos
Reply
philip_sweany
Flight Engineer Flight Engineer
Flight Engineer
  • 10.7K Views

Tracy:

We did not use the --stdin method in RH134, only because we sometimes debate about adding something that might be percieved as being too clever, in an attempt to do only that which is widely understood at the RHCSA level.

Having said that, I think the --stdin way of changing passwords is cleaner and nicely clever and absolutely how it should be done in scripts.  Thank you for the feeback.

0 Kudos
Reply
philip_sweany
Flight Engineer Flight Engineer
Flight Engineer
  • 10.9K Views

At the risk of being too clever, or putting everyone to sleep, I would like to contribute some version specific information.  You all should be on the lastest version of RHEL 7.x -- why aren't you all on RHEL 8 yet? -- but in case you are using earlier RHEL 7.X versions, you need to know that the procedure changed.  We fixed some SELinux behavior and ... etc, etc, etc.

So, just for the conversation, thought you all might be amused:

______________________________________________________________

Here is an alternate RHEL7 boot process method fo changing root password.

****  init=/bin/bash method

** Interrupt GRUB, press e to edit
** Add "init=/bin/bash" to end of linux line
** Remove "rhgb quiet"
** Remove "console=ttyS0,115200n8"
** Press Ctrl+X to boot

sh-4.2# mount -o remount,rw /
sh-4.2# /usr/sbin/load_policy -i
sh-4.2# passwd root
sh-4.2# mount -o remount,ro /
sh-4.2# /sbin/reboot -f

______________________________________________________________

This next metod breaks in about as early as one can, during the early steps while locating the root disk.

**** rd.break method (RHEL 7.2+)

** Interrupt GRUB, press e to edit
** Add "rd.break" to end of linux line
** Remove "console=ttyS0,115200n8" ** Press Ctrl+X to boot

Loading the SELinux policy before changing the root password causes an AVC denial when updating the root password. Instead, set the password, then load the policy and fix the contexts. Without a restored file context, no local users can log in after a reboot, since /etc/shadow will have an invalid security context.

switch_root:/# mount -o remount,rw /sysroot
switch_root:/# chroot /sysroot
sh-4.2# passwd root
sh-4.2# load_policy -i
sh-4.2# restorecon -Rv /etc
sh-4.2# touch /.autorelabel (ONLY IF load_policy FAILS)
sh-4.2# exit
switch_root:/# exit

** Exiting returns to rd; boot process resumes.

______________________________________________________________

This method was how we handled the same AVC issues back in the earliest RHEL 7.  This method should not be needed, ever, because NONE OF YOU ARE ON RHEL 7.0.

**** rd.break method 7.0

** Interrupt GRUB, press e to edit
** Add "rd.break" to end of linux line
** Remove "rhgb quiet"
** Remove "console=ttyS0,115200n8"
** Press Ctrl+X to boot

switch_root:/# mount -o remount,rw /sysroot
switch_root:/# chroot /sysroot
sh-4.2# passwd root
sh-4.2# touch /.autorelabel
sh-4.2# exit
switch_root:/# exit

** Exiting returns to rd; boot process resumes.
** SELinux autorelabel occurs; system reboots.

______________________________________________________________

And finally, here is the normal and proper way to do emergency tasks, when the system is not in worse shape and the root password is known, because this is what the emergency target was designed to do instead of all of those crazy hacks I already showed you!

**** emergency.target method

** Interrupt GRUB, press e to edit
** Add "systemd.unit=emergency.target" to end of linux line
** Press Ctrl+X to boot
** Enter the root password

[root@localhost ~]# mount -o remount,rw /
[root@localhost ~]# mount -a
[root@localhost ~]# <emergency tasks>
[root@localhost ~]# mount -o remount,ro /
[root@localhost ~]# exit

** System continues booting normally to default.target.

 

Don't say I never tell ya nuthin'.

Phil Sweany, RHCA
Cloud Curriclum Architect

Reply
Tracy_Baker
Starfighter Starfighter
Starfighter
  • 10.9K Views

@philip_sweany wrote:

This method was how we handled the same AVC issues back in the earliest RHEL 7.  This method should not be needed, ever, because NONE OF YOU ARE ON RHEL 7.0.

What you may not know, Philip, is that the physical and online (NetLab) teaching environments - specifically, the virtual machines that the students use - for RH124, RH134, and RH254 are all on RHEL 7.0. At least this is true for Red Hat Academies.

My physical lab's foundation OS, that underlies the VMs, is 7.5.

As a result, the RHCSA (EX200) and RHCE (EX300) certification exam testing environments are also RHEL 7.0 -- the testing environment is the same as the training environment (if that's changed, I don't know about it).

As a result, I need to teach my students (who most likely couldn't even spell Linux before taking one of my classes) a fairly easy, repeatable, way to perform password recovery for RHEL 7.0.

Program Lead at Arizona's first Red Hat Academy, est. 2005
Estrella Mountain Community College
0 Kudos
Reply
Scott
Starfighter Starfighter
Starfighter
  • 10.9K Views

All the RHCE track training courses (RH124, RH134, RH199, RH254, RH300) are all on RHEL 7.0.  The main reason for this is a lack of changes to the content based on the intermediate update releases of RHEL.  Sure, 7.1 or 7.2 or the most recent 7.6 adds features, enhancement, and fixes to the distribution, however, ls works the same, user management, packagement, the systemctl commands included in the training, all of that stuff works the same.  Hence, not really a need to update the course content to a newer dot release.

I would clarify what I think Phil meant which is "None of you should be running RHEL 7.0 in your live environments" . Those dot releases also provide security errata and a variety of other things that someone using RHEL in a non-training way would want to ensure are present on systems they administer.

-STM

0 Kudos
Reply
RJ
Flight Engineer Flight Engineer
Flight Engineer
  • 10.9K Views

For Red Hat systems particularly running SELinux in Enforcing mode, this is an alternate way to deal with resetting the root password and the relabeling of /etc/shadow, vs. doing a "touch /.autorelabel" which hits everything.  This is particularly noteworthy if a system has a giant RAID or SAN attached.  Example, I have one customer with a 500TB (yes, terabyte) raid array, and there is **no need** to relabel that raid array if we have to do a password reset.

 

Credit, Red Hatter  [THE BELOW ARTICLE NOW REDIRECTS TO SOMETHING DIFFERENT]

https://access.redhat.com/solutions/918283#comment-1274541

  [THE ABOVE ARTICLE NOW REDIRECTS TO SOMETHING DIFFERENT]

 

1.      At the beginning of the boot process, at the GRUB 2 menu (Kernel list), type the e key to edit the kernel

2.      Move down to the kernel line (the line starting with linux16)

3.      Remove rhgb quiet using the backspace key. 

4.      Add rd.break enforcing=0  

NOTE: you might have to make "console=tty0" in step 4 as well depending if it's virtual or not, and other factors

5.      Press Ctrl x to resume the boot process.

NOTE: instead of doing #6 below, instead at step #3 above, change "ro" to "rw" in the grub line

6.      # mount –o remount,rw /sysroot

7.      # chroot /sysroot

8.      # passwd 

9.      Retype the password 

10.     Type exit twice to continue the boot process

11.     Log in as root 

12.     # restorecon -Rv /etc/shadow

EDITED The "-R" option above is excessive (recursive) when hitting one file, thank you for mentioning Tracy)

13.     # setenforce 1

 

So... Is the previously described method wrong? Certainly not.  There might be times to take an alternate route such as a 500TB raid array.  

RJ
0 Kudos
Reply
Tracy_Baker
Starfighter Starfighter
Starfighter
  • 10.9K Views

@RJ wrote:

 

12.     # restorecon -Rv /etc/shadow


This seems odd, why use the -R (recursive) option when applying it to a single file?

Anyway, I just tried it on a test directory and contents -- and works (and it didn't mess with the subdirectories and their files), so no harm done by the -R option.

Program Lead at Arizona's first Red Hat Academy, est. 2005
Estrella Mountain Community College
Reply
RJ
Flight Engineer Flight Engineer
Flight Engineer
  • 10.9K Views

Yup, you're right Tracy, and thanks.  Step 12 is excessive (with as you mention, the -R (recursive) option).  I copied it from the original post (now gone) and appreciate the feedback

 

RJ

RJ
0 Kudos
Reply
Robert1
Mission Specialist
Mission Specialist
  • 10.9K Views

Wow...thanks for all the replies. I finally got my browser to work...and now can respond.

Couple things-

Interesting that the exam is on version 7.0, I will download that as a VM and try some of the above solutions.

As for 8, 7.6, and 7.5 I got varied results, and none worked until I tried the '--stdin' code on the 7.5 version.

I agree with Tracy, need standard way to do this so I can understanbd what is going on, and as important-- get pass the first question on the 200exam.

I'm actually on vacation and will try and test out some of y'alls solutions when I get a chance and will let you know.

Sorry for the late response..technical difficulties.

I really appreciate all the responses!

Thanks!!

0 Kudos
Reply
Tracy_Baker
Starfighter Starfighter
Starfighter
  • 10.8K Views

I write most of my content for my classes, and test things, on CentOS 7.6.

However, I need to always keep in mind there are differences between 7.6 and 7.0.

One major example is what you can do with the nmcli command -- 7.6 allows you to do things with nmcli add that 7.0 only allowed with nmcli modify (however, you can still do them the 7.0 way in 7.6). Another is that, in 7.0, if you right-click on the desktop and choose Open Terminal it will open to ~/Desktop/ and if you do the same with 7.6 it will open at ~/.

There are other, less significant, things. The good thing that if it worked in 7.0, it works in 7.6 (I have yet to find an exception to this that impacts the RHCSA/RHCE course content - RH124, RH124, and RH254), which works out just fine when studying for the exams -- just don't use the "new" ways.

Password "recovery" is one of those things. If you follow the procedure described at the end of RH124 or the beginning of RH254 (it is the same), you won't have any problems - regardless of the kernel version you are using (you may, however, experience differences if you are working with some virtual machines as mentioned by @philip_sweany and @RJ).

Program Lead at Arizona's first Red Hat Academy, est. 2005
Estrella Mountain Community College
Reply
Join the discussion
You must log in to join this conversation.