Hydra password attack on root not working

[BrandonHeat]

Me and a few collegues at work recently got our hands on an old machine , which we used to setup debian linux on and run a discourse(discussion platform) server. The guy who installed the OS and the server then gave the rest of us the lowest possible trust level at which you can do almost nothing and challenged us to elevate our accounts to admins.

The first thing I did was compile a list of all the passwords we used at work and use this for a ssh dictionary attack against his account with hydra, which worked. Then I ran into a bit of a problem. His account wasn't enough to do what I needed, so I tried running the same dictionary attack against the root account. When this didn't work, I tried an actual complete wordlist which took a few days to run, and still no success.

In the end I was able to guess the password and complete his challenge just because I knew the guy well enough and could predict what he would think of. What still bugs me, trough, is that when I tried to run hydra with a wordlist consisting of the the correct password I had found and a few others, it still failed. I also noticed that you couldn't ssh into the machine as root@ipadress with the correct password, either, almost as if the root account is disabled. When you login normally, however, and the use su with this password, it works, and your user is shown as root@machine:, so it is indeed the root account.

My question is this: How would run a brute force / dictionary attack against the root account on a machine such as this, which doesn't allow direct login as root?

[cyberdrain]

Hmm, just some ideas to get passwords. Run the command locally (stupid, but might work). Escalate privileges using a vulnerable daemon/program and dump the hashes. Dump contents of the shadow file using a running service (think Heartbleed and similar). Power down the machine, copy the file in which the passwords are stored and brute force that. Use some other account that you think might have the same password. Sniff the network in hopes of grabbing the hash. Brute force a user with administrator privileges first and use those to get to the hash of root. Use a hardware keylogger. Though not exactly an answer to you question, this is also fun: grab the hash some other way, pass the hash (only works when using LM or NTLM) and use the gained privileges.

Note: I haven't tested any of those, I have little knowledge of Linux privilege escalation.

[BrandonHeat]

Thanks, cyberdrain! This'll give me some ideas to play with next week.

[cyberdrain]

Let me know what you did and how it went, I'm interested.

[limdis]

The one account that you do have access to that "wasn't enough", login with it and try and locate the sshd_config file. It's possible that account has enough rights to edit that file. If it does, re-enable ssh root logins. Go back to hydra.

[cyberdrain]

That's a good one, I should remember to fix that on my box

[BrandonHeat]

Editing the sshd_config file worked like a charm Very nice trick, exactly what I was looking for!

[cyberdrain]

Limdis +1