Authentification bypass from GRUB

Table of contents :


Grub is a piece of software that gets executed every time you boot your GNU/Linux machine, just before the init of your operating system.

Thanks to GRUB, you can choose which OS or Kernel to boot from at startup. You also are able to send informations directly to the kernel when it launchs.

Grub is localed in a clear partition that is different from your main OS one, which means that when your system is encrypted, there is no way to access it locally, UNLESS in the case of a bruteforce

(I excluded the possibility of leaving your system unlocked...)

We find here the importance of encrypting your partitions, so that you don’t get exposed to a situation of stealing/data manipulation and/or privilage escalation locally from the physical machine.

Tricks | Privesc from GRUB

Here I am, invited to a friend’s house! He tells me he uses GNU/Linux and sells himself to be safe. He goes away taking care to turn off his machine because he doesn’t trust me, let’s show him that it is possible to pop a root shell in an instant since his hard disk is not encrypted

Let’s turn on his machine!

grub default image

We land on its GRUB, let’s not press enter but the "E" key (editing function)

Let’s go down a little bit until we find the line "linux /boot/vmlinuz[...] ro quiet"

grub default image

Don't be surprised: you can't setxkbmap, you'll have to make do with qwerty.

Here we will edit the ro by rw instead, ro means Read-Only and rw Read-Write. This allows us to change the privileges of the user to let him write and not only read.

We will then add init=/bin/bash to our line: init is a start-up kernel parameter taking any executable/binary as parameter /bin/bash refers to your bash shell contained in /bin/bash

More documentation about kernel parameters is availible here

grub default image

Press F10, then it’s done (ᵔᵕᵔ)/

We find ourselves on a root shell with the ability to edit as desired, it’s beautiful isn’t it? :D

grub default image

We can now classically change the root password with passwd root.

Kernel panick | How to avoid it

Stay here, it’s not over!

You can’t get out of this environment in the classical way, try an exit and the machine will go into kernel panick

grub default image

What you see is a screen of a kernel panick that I was able to experiment on my own machine some time ago after making an init kernel change

The cleanest and safest way to get out of here in order to reboot is to use poweroff -f.

Thanks for reading c:

Special thank | Crystal (๑˘ ³˘)⠀~♡

Special thank to Crystal, she translated this article. <3