Add a User with Root Privileges Non-Interactively

by Pipefish  (pipefish@anonymousspeech.com)

My intent for this article is to provide several neat methods that can be used when working with UNIX systems.

I wanted to share this with folks because I think these are very useful.  I'll not only tell you how to create a user whose privileges mirror root's, but I'll tell you how to do it in a non-interactive environment (via two methods).

To perform these, you already need root/sudo privileges on the system in question.  Of course, you must own the system or have permission to muck about with it!  Doing illegal things is bad for karma... probably.

Why?

Why would you want to add a root user if you're already root?

There are probably many cases for this, but one I constantly find myself in is during penetration tests.  I find myself with a non-interactive root shell on a Linux/UNIX system after taking advantage of some exploit.

If I want to be able to install packages to the system (maybe a SOCKS proxy or Nmap?), or do anything with much depth, I prefer an interactive environment, one where I can actually see what I'm doing and get the full benefit of TTY; namely stdin, stdout, and stderr.

Some companies won't let you change root's password (or don't like it).  Also, some distribution don't allow the root account to log in via SSH/Telnet (without changing config files).  So how do I get into the system via SSH or Telnet if I can't change root's password?

Add a user with the same UID/GID as root, of course!

Sounds easy enough, but it's tough in a non-interactive environment where any script or program that requires user input doesn't work as expected.  Below we'll bypass those limitations.

Let's Do It!

The first method to add a user non-interactively is very simple.

Add a user to your own system with a password and the group membership you want, then copy and echo the lines for that user from your password and shadow file into /etc/passwd and /etc/shadow on the target system.

I'll show you how to add a user that shares a group/user ID with root in the next section, but a quick note on how: you'll want to add a user to your system with the same privileges/memberships as root.

Example:

When I created a user called test on my system with a password of password, this is what that user's line looked like in my /etc/passwd and /etc/shadow files:

# /etc/passwd: test:x:0:0::/home/test:/bin/sh # /etc/shadow: test:$6$aae8qp/j$r0c.HGGbDsIRRLc4x2htq588feJ3rsjzFvZOd/nawNkpA.D.kLzzAZA4UhfMc7zU8B13WuFu8oC8eKrXxaYxa/:14929:0:99999:7:::

On the system you have non-interactive access on, simply do this:

# echo 'test:x:0:0::/home/test:/bin/sh' >> /etc/passwd # echo 'test:$6$aae8qp/j$r0c.HGGbDsIRRLc4x2htq588feJ3rsjzFvZOd/nawNkpA.D.kLzzAZA4UhfMc7zU8B13WuFu8oC8eKrXxaYxa/:14929:0:99999:7:::' >> /etc/shadow

The second method is a bit more involved, but can also be used/modified to script adding/changing users' passwords non-interactively.

This method also demonstrates using the Python crypt library and is a good way to learn some UNIX administration.

For systems that support the useradd (not adduser) command, do the following:

# useradd username -o -u 0 -g 0

The -o switch allows multiple users to have the same UID/GUID (0 is root).

The user will have no password at the moment.  In normal operation you'd simply issue the passwd command, but this will not work with a non-interactive shell.

Assuming you have access to a system with Python installed (and since the system you're logging in from is BackTrack 4 R1, I know it's got Python!), simply enter python and hit Enter.

Now you're at the >>> prompt.

Type in import crypt; print and hit Enter.

Next, type crypt.crypt('password', 'salt'), where password is the password you want to assign to your user and salt is the salt value (two characters) you'll use in encryption.

The output you'll receive will be the encrypted password.  Copy it down.

Example:

Python 2.7.18 (default, Aug 1 2022, 06:23:55) [GCC 12.1.0] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> import crypt; print >>> crypt.crypt('Sekr3t', '2b') '2bw.fFvfDzLI6' >>>

Now type:

# usermod --password 2bw.fFvfDzLI6 username

This assigns your new user (username) a password of Sekr3t in the proper crypt() format usermod is expecting.  Now you can SSH in and have full interactive root access to the system, and root's password is unchanged.

For systems that support the pw command (FreeBSD for example), the steps are similar but the commands are a tad different.

I fooled around a bit and found a working set of commands:

# pw useradd -o -u 0 -g 0 -n username

The above adds the user with no password.  The steps are the same for generating the encrypted password, so use Python and crypt from above and copy the output.

Then enter:

# echo 2bw.fFvfDzLI6 | pw usermod -n username -h 0

The above command assigns the password Sekr3t to the user.

Now, just as before, you have an account with root privileges, but the system's root account is unchanged.

You may ask yourself, "Why would I choose the second method rather than the first, simple echo method?"

In most cases, you'll find the first method will work just fine.  But the second method may be helpful if you're experimenting with scripting user add/modify actions or in some strange instance when you don't have the ability to echo commands into the passwd/shadow files.

I hope you find this useful.

Good luck and happy hacking!