Vulnarex | Elite Cybersecurity Learning Platform

#Physical Access + Single-User Mode = Instant Root. Fix That.#link

Anyone with physical access can reboot a Linux server, interrupt GRUB, and append 'init=/bin/bash' to get a root shell without a password—unless you've secured the bootloader. This lesson covers password-protecting GRUB, hardening single-user mode to require authentication, and protecting the boot process from kernel parameter manipulation, which is often the first step in a physical pentest.

GRUB Password Protection

GRUB2 can be configured to require a username/password for editing boot entries or accessing the console. The password hash is stored in /boot/grub/grub.cfg or a separate user.cfg. Use grub-mkpasswd-pbkdf2 to generate a PBKDF2 hash. Place a superuser and the password in /etc/grub.d/40_custom, then update grub.cfg. Without a password, anyone can modify kernel parameters at boot.

Generate GRUB password hash and add superuser

root@vulnarex:~#grub-mkpasswd-pbkdf2 # Enter password, then add to /etc/grub.d/40_custom: cat << EOF >> /etc/grub.d/40_custom set superusers="admin" password_pbkdf2 admin grub.pbkdf2.sha512.10000.<hash> EOF sudo update-grub

Now, at boot, pressing 'e' to edit will prompt for the superuser password. This also restricts booting from alternate entries without authentication.

Hardening Single-User Mode with sulogin

Even with GRUB locked, single-user mode (rescue.target) may not require a password. Modern distributions use sulogin, but it's not always enforced. Ensure that /etc/systemd/system/rescue.service.d/override.conf contains ExecStart=-/sbin/sulogin, or modify the rescue service to use sulogin. For SysV init, edit /etc/inittab to add ~~:S:wait:/sbin/sulogin. This forces the root password prompt before dropping to a shell.

bash

# Ensure sulogin runs in rescue mode
sudo mkdir -p /etc/systemd/system/rescue.service.d
echo -e "[Service]\nExecStart=\nExecStart=-/sbin/sulogin" | sudo tee /etc/systemd/system/rescue.service.d/override.conf
sudo systemctl daemon-reload

info

💡 Some cloud environments don't have a traditional GRUB (e.g., AWS EC2 uses PV-GRUB). In those cases, focus on console access protection and IAM roles.

Bootloader	Hardening Method	Verification
GRUB2	PBKDF2 password + superuser	Reboot, try to edit entry
systemd-boot	Set 'secure-boot' and kernel locking	Check that cmdline cannot be modified
U-Boot (ARM)	Environment variable protection	Password-protect the console

Protecting Kernel Command Line Parameters

Kernel parameters like 'init=/bin/bash' are the classic bypass. With GRUB password, they can't be changed. Additionally, some distributions support signing kernel command line via EFI (if using systemd-boot). This prevents even an attacker with disk access from modifying boot entries on the EFI partition. Use 'efibootmgr' to verify boot order and password-protect the UEFI firmware.

▪Set a GRUB superuser password using grub-mkpasswd-pbkdf2 and regenerate config.
▪Enforce sulogin in rescue.target to require root password in single-user mode.
▪Password-protect UEFI firmware settings and boot order.
▪If using signed kernels, verify the signature chain; lock down initramfs updates.

STRICT SECURE AUDIT RULE

⚠️ If you forget the GRUB password, you'll need physical access to clear the CMOS or use a live USB to chroot and reset the password—ensure it's documented in a secure break-glass procedure.

quiz BLOCK (★ 50 XP)

After hardening GRUB with a password, an attacker powers off the server, inserts a USB drive, and boots from it. What defense remains?

Select your proof vectors above

challenge BLOCK (★ 100 XP)

GRUB Lockdown Drill