Recently I had done some training where we setup ESXI 6.7 on a Intel NUC. It’s been over a month since I’ve touched it. Apparently during the training my coworker had set a root password for the install, which was supposedly written down, but was either typed wrong in the notes or fat-fingered while setting it. Unfortunately, you can no longer boot into single user mode or Service Console to reset the password and VMware suggest you reinstall ESXI to reset the password. I didn’t want to risk trying that method because I wasnt sure if it would affect the currently installed VMs and I didn’t have a copy of ESXI with me to do so. Instead I used a bootable Kali USB to mount the ESXI drive and reset the root password to a blank password by editing the shadow file.
Here’s the steps I took to gain access to my ESXI NUC.
First, I checked the drives on the machine using the lsblk command. Then used udiskctl to mount nvme0n1p5. Once mounted, I copied the state.tgz file to /tmp then untar’d it. It had another .tgz file called local.tgz inside which I untar’d too using this command:
tar -xf state.tgz && tar -xf local.tgz
I then used nano to edit the root password in the shadow file that was now in the /etc folder using nano etc/shadow. (I also saved the hash also because I wanted to try to crack it regardless with hashcat to see what the hell it was)
After saving the file I tar’d it back up and moved it back to the mounted directory, then rebooted and removed the Kali USB.
Upon rebooted I was greeted with the ESXI logon screen, and was able log in with root and a blank password.
Here’s the plaintext output just in case you can get online from your device and want to copy pasta.
root@kali:/mnt# lsblk NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT loop0 7:0 0 2.9G 1 loop /usr/lib/live/mount/rootfs/filesystem.squashfs sda 8:0 1 29.3G 0 disk ├─sda1 8:1 1 3.1G 0 part /usr/lib/live/mount/medium └─sda2 8:2 1 736K 0 part /media/root/Kali Live nvme0n1 259:0 0 465.8G 0 disk ├─nvme0n1p1 259:1 0 4M 0 part /media/root/ESXi ├─nvme0n1p2 259:2 0 4G 0 part /media/root/4E99-06DA ├─nvme0n1p3 259:3 0 458.4G 0 part ├─nvme0n1p5 259:4 0 250M 0 part ├─nvme0n1p6 259:5 0 250M 0 part /media/root/4E99-06D71 ├─nvme0n1p7 259:6 0 110M 0 part ├─nvme0n1p8 259:7 0 286M 0 part /media/root/4E99-06D72 └─nvme0n1p9 259:8 0 2.5G 0 part root@kali:/mnt# udisksctl mount -b /dev/nvme0n1p5 Mounted /dev/nvme0n1p5 at /media/root/4E99-06D7. root@kali:/mnt# cp /media/root/4E99-06D7/state.tgz /tmp root@kali:/mnt# cd /tmp root@kali:/tmp# tar -xf state.tgz root@kali:/tmp# tar -xf local.tgz root@kali:/tmp# rm *.tgz root@kali:/tmp# nano etc/shadow root@kali:/tmp# tar -cf local.tgz etc/ root@kali:/tmp# tar -cf state.tgz local.tgz root@kali:/tmp# mv state.tgz /media/root/4E99-06D7/ root@kali:/tmp# udisksctl unmount -b /dev/nvme0n1p5 Unmounted /dev/nvme0n1p5. root@kali:/tmp# reboot