How to get Root access on Call Manager 5/6 Server
Posted by Josh on Tue 10 Jun 2008Categories: Cisco , Cisco VOIP - [20] Comments
When Cisco first announced the Unified Communication Server (CallManager) would be based on Linux, my first question was “How much of the system would be available to users?”
I think it is great that Cisco does not require Engineers to understand the underlying system CallManager is built on, but some of us are curious. This tutorial will show you how to create a user on a CUCM 5/6 server with shell access and root privileges.
WARNING: This should not be performed on a Production System! I am not responsible for any destruction to production systems.
- Boot the CUCM server with CentOS 5.1 Disk1
- Type ‘linux rescue’ at the boot: prompt
- Use the chroot command to change the root to the CUCM partition
Type 'chroot /mnt/sysimage'
- Backup the /etc/passwd, /etc/group, /etc/shadow and /etc/gshadow files
cp -a /etc/passwd /etc/passwd.bak
cp -a /etc/group /etc/group.bak
cp -a /etc/shadow /etc/shadow.bak
cp -a /etc/gshadow /etc/gshadow.bak
- These files are protected by the ext2 immutable flag. Check to see if the immutable flag is set. If the immutable flag is set, you will see an ‘i’.
lsattr /etc/passwd /etc/group /etc/shadow /etc/gshadow
- Remove the immutable flag
chattr -i /etc/passwd /etc/group /etc/shadow /etc/gshadow
- Add a new user and set a password
useradd username
passwd username
- Add the immutable flag
chattr +i /etc/passwd /etc/group /etc/shadow /etc/gshadow
- Add the new user to the /etc/sudoers file and give root privileges.
vi /etc/sudoers
Add the following line to the file to give the new user root privileges.
username All=(ALL) ALL
- Exit Linux rescue mode
- Login with the new account
- Test various root level linux commands with ‘sudo’ prefix, take a look at the filesystem and play around
June 10th, 2008 at 4:08 am
This is Nice Tutorial, Thanks
Mark
June 24th, 2008 at 5:06 am
something else for you guys..
once logged in, use sudo /bin/bash to get a root session
June 24th, 2008 at 8:54 am
Thanks James!
August 13th, 2008 at 8:17 pm
I did all of this using kubuntu Hardy KDE 4.0 and was able to browse around, etc. while logged using the live CD.
Once I rebooted the VM, I was unable to use the username/pwd that I had created using the above steps.
Oh, and for anyone that is interested, here are the steps that I took with some annotations:
***********
To boot a vmware from ISO image, edit the respective .vmx file thus:
Open the .vmx file for the image you are using. Look for the lines ide1:0.fileName and ide1:0.deviceType. If you want to install a new guest OS from a CD-ROM or DVD, the defaults are fine. If you’d like to use an ISO image instead of a CD-ROM, however, you’ll need to tweak this a bit. To use an ISO image, change the fileName and deviceType lines to this:
ide1:0.fileName = “/path/to/cd.iso”
ide1:0.deviceType = “cdrom-image”
defaults are
ide1:0.fileName = “auto detect”
ide1:0.deviceType = “cdrom-raw”
Once that’s done, fire up VMware Player. However, instead of letting it boot into the virtual machine, press Esc when you see the screen in Figure 1 (first VMWARE Splash screen…very very FAST – you may have to try this a bunch of times…I did! As soon as u see the cursor change to the hand, click, then, click ESC, but only ONCE). VMware will give you the option of booting from the hard disk or booting from other devices. Select the CD-ROM drive from the boot menu instead of the hard drive. You should be able to move through your installation normally after that.
By the way — and this is one of my favorite features of VMware Workstation — you can download an ISO for a Linux distro and try it out in VMware without even having to take the time to burn it to CD. This feature has helped me avoid wasting a lot of CD-Rs.
*************# Boot the CUCM server with CentOS 5.1 Disk1
******** I used hardy 8.04 KDE 4.0 .iso image *******
# Type ‘linux rescue’ at the boot: prompt
******** I did not need to do this, I opened up Konsole and changed to /media/disk ******
# Use the chroot command to change the root to the CUCM partition
Type ‘chroot /mnt/sysimage’
******** I did not do this..cd /media.disk ********
# Backup the /etc/passwd, /etc/group, /etc/shadow and /etc/gshadow files
******** Note: I had to change to the etc directory since /etc goes back to root which is the root of ubuntu *******
******** so, just remove the /etc/ from the below commands (or use /media/disk/etc ********
cp -a /etc/passwd /etc/passwd.bak
cp -a /etc/group /etc/group.bak
cp -a /etc/shadow /etc/shadow.bak
cp -a /etc/gshadow /etc/gshadow.bak
# These files are protected by the ext2 immutable flag. Check to see if the immutable flag is set. If the immutable flag is set, you will see an ‘i’.
******** Use sudo if you have to **********
lsattr /etc/passwd /etc/group /etc/shadow /etc/gshadow
# Remove the immutable flag
chattr -i /etc/passwd /etc/group /etc/shadow /etc/gshadow
# Add a new user and set a password
useradd username
passwd username
# Add the immutable flag
chattr +i /etc/passwd /etc/group /etc/shadow /etc/gshadow
******* Again, sudo for shadow and gshadow
# Add the new user to the /etc/sudoers file and give root privileges.
visudo /etc/sudoers
******* visudo is a pain in the ass…same commands as vi…had to look them up
******* I recommend using visudo as it does special checks to make sure you don’t fubar dusoer
Add the following line to the file to give the new user root privileges.
username All=(ALL) ALL
******* for example: dvader ALL=(ALL) ALL
****************
So, should I not be able to boot to UCM and logon as dvader?
or is this only to logon w/ a live CD.
Thanks!
August 13th, 2008 at 8:20 pm
ps…yes, I copied and pasted all of the instructions for the vmware stuff from another place on the net. I wish I could give credit…but..I just closed out all my browsers.
My apologies to the original poster on that!
August 13th, 2008 at 9:44 pm
ok…I figured this out!!!
When doing “adduser” I was actually adding it to the liveCD version! in other words, I was modifying /etc/passwd, group, shadow, gshadow, etc when doing the “adduser” command.
So, I opened up those files in a text editor, then opened up /media/disk/etc/passwd..etc and copied/pasted the new user info.
also, when doing sudo visudo sudoers, I had to use the -f flag to look to the local command line otherwise, I was also editing /etc/sudoers (my liveCD filesystem)
i.e: ubuntu@ubuntu:/media/disk/etc$ sudo visudo -f sudoers
also, note: I noticed that I did not have access via Konsole to /media/disk until I opened it up in Dolphin (the file manager)…not sure if I tried to quickly or not, but…if anyone else does this…there ya go.
So…thanks for pointing me in the right way..hopefully, my notes can be of assistance to someone.
August 13th, 2008 at 10:34 pm
Robert,
Thanks for sharing your notes with us! I really enjoy seeing someone take another approach. Great job!
Please try to find the author of the above procedure. I would like to give credit.
Josh
October 8th, 2008 at 3:09 pm
Robert, your procedure was failing exactly because you did not chroot to the CCM partition.
Though the workaround you found is just as fine.
October 9th, 2008 at 3:12 am
Root Access auf einem Cisco CallManager 6.x bekommen…
Ich habe mir vor einiger Zeit zum testen einen Cisco CallManager 6 installiert. Da ich Blackboxen nicht leiden kann, habe ich versucht ob es nicht möglich ist einen richtigen Shell Access hinzubekommen…
……
March 3rd, 2009 at 7:29 am
I have tested this link and it works like a charm.
I am a big fan of Pushkar Bhatkoti’s blog.
Link:
http://pushkarbhatkoti.wordpress.com/2009/01/25/a-fun-with-cisco-call-manager-6x-how-to-root-access-to-ccm6x-box/
Topic:
A fun with Cisco Call manager 6x – root access to CCM6x box
cut and paste:
January 25, 2009 at 3:55 am | In CCM 5x 6x 7x stuffs | | Edit this post
Tags: hacking cisco call manager 6x, how to get root access to ccm ccm6x ccm7x, logging in as a root in cisco call manager
———————————————————————————————-
Duh… its 42 degree outside here in Sydney and it is also a long weekend – this sounds boreing… nothing to do outdoor.
My mind got crazy and then I thought to play with my new toy – CCM version 6.x.
Note: before you read this please note, do not try to apply it on your production server.
Quite often, when we are working on the production server and we need access to call manager 5x 6x 7x root shell (penguin shell), we had to call bloody TAC and do wait for ages before we get access to the root shell.
Last week this happend to my friend and he told me that is there anyway to get access to the call manager root shell. He upgraded his CCM from v5 to 6x and the disk space got on ccm server got full. So he had to delete some files from ccm using LINUX shell. Somehow cisco has managed to lock it down so that no root access to the ccm appliance. I given my old method to my friend and he got access to the root shell [grub /lilo breakin method like we do to recover root password].
Today I got some time to do some research on this and found out a less effort method which you can safely apply to your production server without breaking anything related to Cisco’s software.
So using below method you would be able to access your call manager in the same fashion like TAC guys do. You don’t have to call them and wait…hehhe…
download fedora9, redhat linux 4 or above or centos disk1. burn it on a CD or dvd. this disk iwll be used in the step #3
STEP#1: Create remote account on your CUCM.
———————————————————–
ssh to your CUCM box. I use Ubuntu as a desktop, if you are billy fane you can use ssh or secureCRT.
frog# ssh administrator@142.2.64.254
you’ll get below prompt:
admin:
create a account and enable remote account to this box:
admin:utils remote_account create frog 100
admin:utils remote_account enable
noticed 100 in the above is number of days ‘frog’ username / account will be valid. If you want it forever, then just type 0
STEP#2: reboot the server:
———————————-
admin:utils system restart
STEP#3: create password for ‘frog’ remote user
———————————————————-
While server reboots, pop-in a linux booteble disk (downloaded centos or redhat first disk) to MCS server or your lab toy. When you see boot prompt type ‘linux rescue:
boot:linux rescue
That will give you the root shell access of root#
initblah#
Rescue disk mounts the CCM hard disk image as a /mnt/sysimage. Now chroot to this image to change in the /etc/ files or passwords:
#chroot /mnt/sysimage
[root#ccm-] #
Note1: if you dont’ see the root prompt and /etc/pass file, then you may need to mount your sysimage.
Note2: If you are Opensource folk and know how to penguinworks u can jump direct to step#4. Actually adding user here vs adding them when u get root# shell using a booteble CD, is that u don’t have to apply all admin groups to remote user.
according to the one of the hacker wesite, remote user must be a member of the following groups in CCM BOX:
disk, sys, adm, bin, wheel and root
STEP#4: change attribute of /etc files and create ‘frog’ user’s password:
—————————————————————————————
Cisco have locked the attribute to read only to all /etc/passwd /etc/group /etc/shadow and /etc/gshadow file to protect those files.
Make all of below files attribute from read only to read/write. So when you change ‘frog’ users password the system will let you change it.
root#chattr -i /etc/passwd
root#chattr -i /etc/shadow
root#chattr -i /etc/group
root#chattr -i /etc/gshadow
root#passwd frog
Now restart the server: use reboot command
Dont’ forget to remove your DVD/CD from MCS server.
Once that is done, access to the ccm from your favourite ssh client. mine is ubuntu these days.
frog# ssh frog@142.2.64.254
Welcome to Remote Support
[root@CUCM6~]#
[root@CUCM6~]#
[root@CUCM6~]#
hehe… its your little linux box now. Do with it whatever you like. I will install freeRADIUS and some other cool tool like NMAP on this Cisco box.
March 18th, 2009 at 6:25 am
Thanks Pushkar for sharing this, that worked.
salman
November 18th, 2009 at 1:18 pm
[...] access its underlying Linux operating system and obtain root access. There are known methods to bypass this. If you have already found a way, then you may configure the virtual machine such as CUPS [...]
January 21st, 2010 at 10:34 am
I am new to Linux
I am tring to edit /usr/local/bin/base_scripts/hardware_check.sh file but I am getting error saying read only file,
can any one help me with?
February 2nd, 2010 at 5:08 pm
[...] Next follow the guide here http://www.blindhog.net/how-to-get-root-access-on-call-manager-56-server/ to get root access. Make sure you use the CentOS Disk 1 rather than the Live [...]
May 27th, 2010 at 11:58 am
[...] can access its underlying Linux operating system and obtain root access. There are known methods to bypass this. If you have already found a way then you may configure the virtual machine such as CUPS [...]
May 27th, 2010 at 1:23 pm
[...] can access its underlying Linux operating system and obtain root access. There are known methods to bypass this. If you have already found a way then you may configure the virtual machine such as CUPS [...]
June 1st, 2010 at 4:18 am
Hi there – thanks this has been useful for us. Wanted to drop a note: Recurity labs published an alternative method to this which does not involve booting off a livecd:
http://blog.recurity-labs.com/articles/jail-breaking_cisco_unified_communication_manager/index.html
- sandro
April 25th, 2011 at 12:21 pm
[...] http://www.blindhog.net/how-to-get-root-access-on-call-manager-56-server/ [...]
August 18th, 2011 at 3:34 pm
[...] the least bit squeemish. The first thing you should read is the great guide at blindhog.net about gaining root access on CUCM 5.x/6.x. It’s a very handy way to show you that the underlying system in CUCM is actually RedHat [...]
October 8th, 2012 at 4:10 pm
Hi Seniors,
I hope you can help me out here, I have CUCM 8.6.2 installed on a VMWare and I am having issues logging into CLI with Admin credentials.
Its throwing following error message,
Sorry, user ccmadmin is not allowed to execute ‘/usr/local/bin/base_scripts/terminal_io /dev/console’ as root on X-X-ccm01.
where X-X-ccm01 is name of the CUCM server.
Regards,
Nav