Yes. Most of them were east-to-find solutions on the web, or someone else giving me access. “Can you reset my password on Blah?” “Try TempP@ass123.” “I’m in, changed password. Thanks.”
A few times when I am really acting like a Senior Linux Administrator is figuring out a kludge or back door nobody had thought of. Recently, a client told me that the former admin had left and didn’t leave the password to over 300 systems (it turns out he did, the client was clueless, but I didn’t know that in the moment). I found every system the admin had access to, and looked for a dev box where he had access but I could take down during production hours. I took it down, booted into init with /bin/bash, changed root password, brought it back up. Then I checked his home directory to see what public keys he had. Based on that, I checked to see if there were any private keys on the bastion systems that matched as a pair (using ssh-keygen -l -f on each pair to see if the signatures matched). They checked which pair had no password. That was pretty quick because I quickly discovered a majority of these cloud systems also had an ec2-user that could escalate to root via private/public key pairs (it is supposed to be removed for security reasons, but wasn’t). Within a few hours, I had full access back to all their systems. Without taking down production.
See, I think one of three scenarios might have happened:
As a writer, one of the aggravating tropes we have to follow is, “make the story believable,” when reality sometimes doesn’t align with “a good story.” Some criminals are really that stupid, and some armchair theory, based on decades of movies, books, and TV shows, you expect “hey, this is what they SHOULD have done is.” And they didn’t. It’s like when a chessmaster has to watch complete amateurs play chess. “Obvious strategies” are ignored, and basically both players are just not thinking past their last move.