In the tutorial Hack Windows 7 Account Password, I showed that having a account password on a Windows computer does not mean that it is unbreakable. In this tutorial, we are going to have a look at how to do something similar on the Linux based system – Ubuntu, by hacking the GNU GRUB loader.
We have a system running Ubuntu 12.10, which we cannot log in to because we do not have the correct password. The object is to remove the password and gain access.
1. At boot press Shift to bring up the GRUB loader
2. Mark the boot option you want to use – here Ubuntu and press e
3. Navigate down to the text linux /boot/vmlinuz-3.5…
We are now going to trick the GNU GRUB loader to drop the normal boot process and instead boot straight into a shell with root privileges.
4. Change the argument ro to rw
5. Remove the text splash $vt_handoff
6. Add the text init=/bin/sh
Changing ro (read only) to rw (read write) allow the root account to change system files doing boot instead of just reading the files. We don’t need the line splash $vt_handoff since it has to do with the graphics showed doing a boot. Finally we add the line init=/bin/sh to tell the kernel to execute a shell instead of the standard init.
7. Press F10 to reboot
We have rebooted in to a shell, let’s check who we are logged in as.
8. Type whoami
Nice, we are logged in as root – Unlimited power is at our fingertips! Now we want to remove the password for the account hegelund. This can be done in a number of ways, in this tutorial we going to do it by editing the password hash directly from the shadow file.
9. Type nano /etc/shadow
10. Navigate to the desired username – here hegelund
11. Remove the hash value of the password ($hashtype$salt$password$)
12. Press Ctrl + X to exit
13. Press Y to save the changes and confirm by pressing Enter
14. Reboot the computer
15. Chose boot option you want to use – here Ubuntu and press Enter
The changes made to the GNU GRUB loader is not permanent, so after the reboot the system should boot up as normal.
16. Log in as the user hegelund without a password
The method should work on all Debian based systems using the GNU GRUB loader. This tutorial serves to prove that if you store sensitive information on you system, you should not rely on an account password alone. Credit for the method goes here.