CLOUD5

Chapter IV - Getting the root account

Like I said before all you need is one account in most cases, if you cannot get

root on the system you might want to trade it off to some irc junkie that

just wants to load a bot, for some other account or info that can help you in

your hacking quest. There will be enough information here so that if you can't

get root access, their system is well kept and probably will be kept up in the

future. You can always lay the account on the side, put the info in some kind

of log file with some good notes so that you can come back at a later time,

like right when a new exploit comes out ;)

Try to stay out of the system until that time so that you do not risk loosing

the account. Remember that when you login to an account and can't get root

you will not be able to clean the logs, and the next time the user logs in he

might see a message that says: last login from xxx.com time:0:00 date:xx/xx/xx

Section 4A - Bugs

There are many bugs out there in different programs that you can use to get

root. It might be a game installed on the system, or even the sendmail

program. If they do not update their programs on a regular basis, you can

be sure you will be able to get in now, and if not, soon to come.

I will be sure to provide the main exploits and bugs here and other less

used below in the appendix section. I will make sure here to give you detailed

english terms so that you can exploit root on the system. But please be sure

to read the sections below, and this manual entirely before proceeding, to be

sure you get started in the right way and not blow you chances of having a

long stay on the system.

Section 4B - Exploits

umount/mount exploit

Look in the /bin directory for a file called umount (or mount),

if you do not find it there do a search for the file like this:

find / -name umount -print -xdev

(you can look for any other file name the same way)

Go to the directory where the file is and do: ls -al um*

If the file has suid perm's you can probably get root.

SUID perm's has the rws for the owner of the file which is root. What you are

looking for is the (s)

Look here:

victim:/bin# ls -al um*

-rwsr-sr-x 1 root 8888 Mar 21 1995 umount

victim:/bin#

This machine we can get root by a compile on the file below:

umount.c

To compile the file on the victims machine type gcc umount.c (or what ever

name you called it) -o um

This will make a file called um that you can exec. Sometimes you will need

to put a ./ in front of the file like this: ./um

With this exploit you might also have to give it a number like:

./um 0 (or) ./um 4 ....alltheway up to 8... like this again ./um 8

 

*************************************

If you fail here you might want to try lpr. Look in the /usr/bin for lpr and

see if it is SUID, if it is lpr should work if it is up on the system.

ls -l lpr

Ok it had suid perm's? Use this script

*************************************

lpr.linux.c

***************************

Here is the BSD version

***************************

lpr.bsd.c

Now just compile it and chmod it +x, and run it.

Watch this one on the group file owner. Any file you copy will have

group owner as lp, make sure you chgrp root filename on any file you

write. Always be watching the user groups with ls -l and if you changed

any change them back like this:

chgrp groupname filename

It is a good idea to use this exploit ONLY to get the root access, then

just copy bash or sh to another file name on the system somewhere and make

it root root, suid: Group owner and File owner root, then chmod it +s

This will give you root access in the future as gid and uid root, without using

the lp group. Make sure you name it something that looks like it should be

running as a root process somewhere ;)

*****************

Here is another that is still around after a while, look for SUID perm's

on a file /usr/bin/splitvt

If it has suid perm's use this file below, but be sure to read the directions

after the exploit:

****************************************

sp.c

Ok this is how splitvt works:

1. Compile the file

2. Run the sp file

3. Run splitvt

Before you run the file: whoami {press enter}

username

After you run the exploit: whoami

root

*******************************************************

Now if all of these have not got you root, try sm.sh. This is a sendmail

bug that works with 8.73 to 8.83 (maybe some others)

Here is the script:

sm.sh

Just chmod the file +x like this

chmod +x sm.sh

1. Run the file

2. It will take you to the /tmp directory

3. type ls -l and see if you have a SUID sh file there, if you do, type

whoami, if not root, run the file ./sh, now see if you are root ;)

I will add many more scripts in the appendix, but these should be the best

at this time to get root access on linux or BSD, if you need another BSD

exploit try the crontab exploit for BSD in the appendix.

WB01345_.gif (616 bytes)Next Page


sqCLOUD25 sqCLOUD5