From the first year of my college, whenever I had lab classes, I used to complete assignments less and explore the systems better. Our lab systems had Ubuntu 18.04 LTS installed on them. They way the labs were setup was that the student should be able to login using the student user only since they didn’t have the administrator or superuser passwords. A descent setup for a college lab. But my curiosity and a hidden agenda drove me further into exploring the systems and rooting them. The lab classes were boot-to-root challenge for me.
I kept on exploring and trying to search different techniques to get root at least one system but neither the ‘student’ account had sudo rights nor was there any SUID binary in the system. The system was completely locked down… apparently. After 3 years of exploring the lab machines and some experience in solving TryHackMe machines, I finally found a way to get hold of the ‘shadow’ file. If you don’t know what shadow file is, it is the file that stores the hashed passwords and only the root user can read it. Accessing the shadow file means getting all the hashes of the system and with a proper wordlist, It is just a matter of time until the hashes are cracked to retrieve the plaintext passwords.
I always carried live bootable pendrive with me with multiple flavors of linux in them. I used ventoy to create a multiboot pendrive. I use that to live boot into one of the machines, mount the installed linux filesystem from the disk and retrieve the shadow file of the host machine. It took half a day for John The Ripper to crack the hashes using the ‘rockyou.txt’ wordlist. I had root.
It was time to realize the ‘hidden agenda’ mentioned earlier. I wanted to create a C2 (command and control) server and control all the systems of the lab from my system (yes, one machine with a specific IP which no one occupies except me). I created a simple bash program which uses sshpass to automate ssh logins and execute arbitrary command on other machines within the same network. Now I had full access of all the machines of my lab with root privileges and my own C2 server. I mainly used it to shutdown all the machines of the lab when everyone was done since not everyone was responsible enough to do that.
A few weeks back, the systems were upgraded to Ubuntu 22.04 LTS so I had to use the same technique and retrieve the shadow file and crack the passwords. This time, the root password was not in the wordlist but with a little guess work, the admin password was cracked. The admin user had sudo rights. My C2 server was back into action. The tragedy happened next.
One day I was in the lab logged into the admin account for some work and learning and our Sir happened to appear behind me. Now you’d expect me to be scolded… but he just asked me and my friends to leave because another class was about to start. On our next class, he asked me how I got access to the admin password and I explained him everything from the start. I’d never forget the smile and glow I saw in Sir’s face. It was no less than a reward for me.
But the sad part is, he had changed all the passwords. I still have my C2 server but without sudo rights. The next day, the first thing I did was to retrieve the shadow file once again to get the new hashes but they are still uncracked. Ubuntu has changed their default hashing algorithm from SHA512crypt to Yescrypt after the latest update in Debian branch.
But the problem happened with the algorithm. Yescrypt is a memory-hard algorithm and cracking it would take much longer with increasing wordlist size. A strange property of Yescrypt was that it generated different hashes for the same passphrase. This left me thinking for many days, until one day, I checked the source code of libxcrypt, the library used in PAM for authentication and hashing in linux.
From the sources, I found the relevant man pages and on exploring crypt(3), crypt(5) and crypt_gensalt(3), I finally found my answer. The salt used in hashing a password is stored in the shadow file and everytime the system needs to authentcate, internally the shadow file is checked for the salt. Using same salt for hashing a passphrase will always create the same hash. The different hashes generated for the same passphrase was due to the randomness factors involved in selecting the initial parameters. Since the salt was available in the shadow file itself, It was very easy now to create a custom yescrypt cracker from scratch. I no longer had to rely on John. Unfortunately, Hashcat don’t have a mode for Yescrypt.
This is a very simple code made by me that can crack a Yescrypt hash. It’s untested for other hashing algorithms but using the man pages this code can be tuned to crack any hash type.
This was my little success story for creating my own C2 server in college after 3 years of dedicated learning, curiosity, brainstorming and prank my friends with it by logging everyone out all at once. Thank you for reading. All comments are appreciated.
