How to recover root password when single user mode is disabled

Before reading this further, please note that the information below is provided for educational purposes only and you take full responsibility for all your actions.

I have decided to write this article after doing some research for a personal security project. Basically, the goal was to change the root password of a machine which was running Linux and had the Single User mode disabled.

Below you can find the steps that describe how I achieved what I had in my (very sick) mind. Before going ahead, it is important for you to burn a Clonezilla Live CD ISO on a optical-disk or on a USB stick and once you’re all set, do the following:

–        When the Linux machine boots up, let is boot from the Clonezilla Live CD/USB.

–        Choose “Clonezilla live” when the Clonezilla Boot Menu appears and hit ENTER.

Clonezilla Boot Menu

Clonezilla Boot Menu

–        When you are asked to choose a language, select whatever language you wish (I chose English) and then select <OK>.

Choose Language

Choose Language

–        In the “Configuring console-data” window, select “Don’t touch keymap” and then <OK>

Configuring console-data

Configuring console-data

–        When the “Start Clonezilla” window shows up, choose “Enter_shell” and then <OK>

Start Clonezilla

Start Clonezilla

–        Then within the “Choose mode” window, select “cmd” and then <OK>

Choose mode

Choose mode

–        Now Clonezilla returns a Linux user shell “$”, but we want to run everything as “root”. So, we will have to use the following command to make ourselves “root”: sudo su -

Running: sudo su -

Running: sudo su -

–        Ok, so now that we’re “root” (we have administrator privileges) we want to have a look at the partitions of the Linux machine (NOT the Clonezilla Live CD, but the Linux machine that we want to change the “root” password from). Therefore, one way to achieve this is running the following command: fdisk -l |grep /dev/sd

fdisk command

fdisk command

–        Then we have to check which partition contains the File System. One way to find this out is by trying to mount each partition at a time and then check what it contains.

In the example above, we have /dev/sda2 (which was the Linux Swap, so this is excluded from the very beginning) and then there are /dev/sda1 and /dev/sda3. I used the following steps to check what kind data those partitions were holding:

mount /dev/sda1 /mnt (this mounted the /dev/sda1 in /mnt)

ls /mnt (shows what /mnt contains)

umount /dev/sda1 (unmounted /dev/sda1)

mount /dev/sda3 /mnt (mounted the /dev/sda3 in /mnt)

ls /mnt (now this showed the correct file system)

(u)mount examples

(u)mount examples

–        After the File System is mounted, then the File System of Clonezilla has to be changed to the File System of the actual Linux machine (the one that was mounted in /mnt above). For that type: chroot /mnt (you can then check if you’re on the right file system to be on the safe side).

–        Once you are sure that the File System was correctly changed, the “root” password can be changed by using the “passwd” command.

Changing file system

Changing file system+reboot

–        Once the “root” password was changed, reboot and check if the new “root” password works.

I hope you found this useful. If you did, please share this article with your friends.

PEACE!