n this post, I will be demonstrating how to root a Linux server with a shell uploaded to it. I will be moving step-wise that’s definitely going to bring out the best tutorial on Linux server rooting all over the web.
Assuming that I have already uploaded a shell on some website on the server with a change that specifies the attacker’s IP and the appropriate port as shown below:

Now, the attacker with the IP ‘192.168.48.189‘ starts listening for a connection through Netcat as:

Now, my shell on the server looks something like:

with several PHP backconnect links. As soon as I click on one of them, the terminal window which was listening for the connection, shows up like this:

Type uname to get the server version running as:

Cool, it’s 3.0.0-12-generic! The attacker googles for the version’s exploit by searching ‘Linux server 3.0.0-12-generic exploit‘ and gets one for him. In our case let it be ‘exploit.c
Now, traverse to the ‘/tmp‘ directory, which is always writable. Next, the attacker creates a custom directory there (say ‘exploit‘ ) as:

The attacker has successfully created the ‘exploit‘ directory and added the exploit.c file to it. Now, he needs to compile the exploit.c file and create an output file (say it to be ‘rooted‘) in the same directory. To do so, the attacker proceeds further like:

This is almost done. The attacker now changes the file permission of rooted to ‘777‘ as:

Now execute the output file and done!

The attacker types ‘id‘ and he can see that he has successfully gained the root access to the server.
FYI: You can also check the readme file to find further details about the exploit I used for this demo at http://dl.dropbox.com/u/57335721/linux_rooting_info_TCS
Disclaimer: This is for educational purpose and to make you aware of the scenarios of various different security breaches. The administrator or the authors of thecybersaviours will not be responsible for any misuse of this post.

Post a Comment

 
Top