Privilege Escalation

Linux Password Recovery

You have inadvertently forgotten your Linux password and can’t log in to your system. You really need to obtain access to your system. You also need to figure out passwords for others in the system. (The steps below will only work in the lab). You are NOT required to find all other user passwords, just the ones mentioned below.

Begin by obtaining the image If you boot it, you won’t be able to login since you don’t have any password. Instead of booting it normally, let’s boot it from the ’D’ drive, with any ubuntu disk inserted (xenial_server)here. Boot to rescue mode. In rescue mode, you should be able to drop to a shell in the root filesystem (maybe something like /dev/sda1). You should be able to find what users exist in the system. (Hint: look in /etc/passwd). To blank a users password, you essentially delete the hash in /etc/shadow. Careful not to delete any of the other fields or colons (:).

You should blank the password for the rubio user.

Then, reboot and see if you can login as the rubio user. Take a screenshot being logged in as the rubio user. (I know you could give any user root permissions here, but let’s pretend we can’t)


As you are hopefully now logged in, you can see what other users exist. You could use john to try and crack the passwd file, but as we have already done this, let’s skip it.


This system has at least 3 setUID vulnerabilities. See if you can figure out how to exploit 2 of them. Here are soem potential resources:

Take screenshots of what you did to get root.

Hint: vim.basic has a setuid vulnerability, so basically, you can now edit /etc/sudoers and add rubio in the user specification setting. You will have to save your changes in vi with :w!. Then, as the rubio user, you should be able to do a sudo bash and get a root shell (A root shell ends with a #).

Online password attack

Once you have root privileges, you can edit your network settings so that your machine can connect to the internet. It is already set to dhcp. I will show you how to easy connect.

Use hydra to attack the ssh port of your machine. You should be able to crack the password for curtis and tom using the password list from the previous assignment. You should be able to find how to run the hydra command to attack your ssh port by searching on google.

You can’t run hydra from oxygen to your virtual machine. The easiest way to run hydra against the vm will be to create a second vm that has hydra installed. I recommend using the most current version of Kali linux. You can then see the ip address of your vms with ip a. You may need to modify some network stuff from Virtualbox.

Take screenshot of discovered passwords.

To Submit

Last Updated 01/24/2021