ESXI 6.7 Password recovery / reset

Recently I had done some training where we setup ESXI 6.7 on a Intel NUC. It’s been over a month since I’ve touched it. Apparently during the training my coworker had set a root password for the install, which was supposedly written down, but was either typed wrong in the notes or fat-fingered while setting it. Unfortunately, you can no longer boot into single user mode or Service Console to reset the password and VMware suggest you reinstall ESXI to reset the password. I didn’t want to risk trying that method because I wasnt sure if it would affect the currently installed VMs and I didn’t have a copy of ESXI with me to do so. Instead I used a bootable Kali USB to mount the ESXI drive and reset the root password to a blank password by editing the shadow file.

Here’s the steps I took to gain access to my ESXI NUC.

First, I checked the drives on the machine using the lsblk command. Then used udiskctl to mount nvme0n1p5. Once mounted, I copied the state.tgz file to /tmp then untar’d it. It had another .tgz file called local.tgz inside which I untar’d too using this command:
tar -xf state.tgz && tar -xf local.tgz

I then used nano to edit the root password in the shadow file that was now in the /etc folder using nano etc/shadow. (I also saved the hash also because I wanted to try to crack it regardless with hashcat to see what the hell it was)

Basically remove everything between the colons after the username so i looks like the image below

After saving the file I tar’d it back up and moved it back to the mounted directory, then rebooted and removed the Kali USB.

Upon rebooted I was greeted with the ESXI logon screen, and was able log in with root and a blank password.

Here’s the plaintext output just in case you can get online from your device and want to copy pasta.

root@kali:/mnt# lsblk
loop0         7:0    0   2.9G  1 loop /usr/lib/live/mount/rootfs/filesystem.squashfs
sda           8:0    1  29.3G  0 disk 
├─sda1        8:1    1   3.1G  0 part /usr/lib/live/mount/medium
└─sda2        8:2    1   736K  0 part /media/root/Kali Live
nvme0n1     259:0    0 465.8G  0 disk 
├─nvme0n1p1 259:1    0     4M  0 part /media/root/ESXi
├─nvme0n1p2 259:2    0     4G  0 part /media/root/4E99-06DA
├─nvme0n1p3 259:3    0 458.4G  0 part 
├─nvme0n1p5 259:4    0   250M  0 part 
├─nvme0n1p6 259:5    0   250M  0 part /media/root/4E99-06D71
├─nvme0n1p7 259:6    0   110M  0 part 
├─nvme0n1p8 259:7    0   286M  0 part /media/root/4E99-06D72
└─nvme0n1p9 259:8    0   2.5G  0 part 
root@kali:/mnt# udisksctl mount -b /dev/nvme0n1p5
Mounted /dev/nvme0n1p5 at /media/root/4E99-06D7.
root@kali:/mnt# cp /media/root/4E99-06D7/state.tgz /tmp
root@kali:/mnt# cd /tmp
root@kali:/tmp# tar -xf state.tgz
root@kali:/tmp# tar -xf local.tgz 
root@kali:/tmp# rm *.tgz
root@kali:/tmp# nano etc/shadow
root@kali:/tmp# tar -cf local.tgz etc/
root@kali:/tmp# tar -cf state.tgz local.tgz
root@kali:/tmp# mv state.tgz /media/root/4E99-06D7/
root@kali:/tmp# udisksctl unmount -b /dev/nvme0n1p5
Unmounted /dev/nvme0n1p5.
root@kali:/tmp# reboot
Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *