Some Questions On Gaining Root Access To A Server

[fapafap]

first post here.

After getting a web-shell up on your target website the next step is to try and root the box and then backdoor it. The only methods I seem to be able to find so far are to search for a local kernel exploit and run it through a backconnection. When your target has a 2011 kernel thats obviously not an option (to 99% of us), but nobody can tell me so far what the alternative course of action (if any) is to still manage to root it.

I haven't left this topic alone despite not getting any information on it because I think that there must be other ways to do this, after you have access to the box via the shell and can potentially upload/run malware which surely could include things like rootkits which could circumvent kernel level authentication, or key loggers, or whatever? Ok enough newbie notions, please any knowledgeable hackers enlighten me!

[Jason Cooper]

Things that could give an attacker root on a system (not an exhaustive list)

• running your web server as the root user
  
• exploitable kernel
  
• exploitable suid'd program
  
• writeable home directories (if they can edit your files they can set up trojan versions of su or sudo to grab passwords)
  
• patience, if they wait long enough an exploit may be found that would give them root
  

[Hyperant]

[*]patience, if they wait long enough an exploit may be found that would give them root

Yes because thats hacking now isn't it ;)

-------

If you are on the out side looking in with no way what so ever to login to the system, then the first thing that i would normally do is run a port scan against the system in order to generate a list of open ports and what services are listening on these ports. From that information one can then do a few searches in some public db for known exploits. If nothing comes up then you get a copy of one of the services that is running on the system and analyze the program in order to find a bug that can be exploited, once you have found a bug the next step would be to write an exploit for it.

[fapafap]

Things that could give an attacker root on a system (not an exhaustive list)

• running your web server as the root user
  
• exploitable kernel
  
• exploitable suid'd program
  
• writeable home directories (if they can edit your files they can set up trojan versions of su or sudo to grab passwords)
  
• patience, if they wait long enough an exploit may be found that would give them root
  

Hi thanks for your reply, I have googled around the topics you have mentioned but cant find any decent information- can you elaborate at all please mate?

[fapafap]

Yes because thats hacking now isn't it ;)

-------

If you are on the out side looking in with no way what so ever to login to the system, then the first thing that i would normally do is run a port scan against the system in order to generate a list of open ports and what services are listening on these ports. From that information one can then do a few searches in some public db for known exploits. If nothing comes up then you get a copy of one of the services that is running on the system and analyze the program in order to find a bug that can be exploited, once you have found a bug the next step would be to write an exploit for it.

Hi and thanks for your input too.

[Infiltrator]

Things that could give an attacker root on a system (not an exhaustive list)

• running your web server as the root user
  
• exploitable kernel
  
• exploitable suid'd program
  
• writeable home directories (if they can edit your files they can set up trojan versions of su or sudo to grab passwords)
  

1) Running your webserver as the root user, its a very bad idea, if the attacker manages to get into your server, he won't need to escalate his privileges, he will get full access to your system and its game over.

On the other hand, if a virus/trojan manages to sneak into the webserver, they can do real damage simply because you neglected to lock down your system. By limiting the privileges, you are limiting the damages an attacker or a virus can do.

2) Exploitable kernel means, if the main core of the OS (Windows or Linux) contains a vulnerability or security loophole, an attacker could easily exploit and gain access to the system. By keeping the OS patched (updated), you reduce the chances of exploitation.

3) Just like an Exploitable Kernel, an exploitable suid'd program could contain vulnerabilities/security loopholes within its source code thus allowing an attack to take advantage of it, and gaining unauthorized access to a system.

4) Writable home directories, if your system or webserver has a writable directory, anyone can save or even execute malicious files, which could potentially give them access to a system. Make sure home directories only have read or no access at all to the public. This will improve the security of the system as well.

[fapafap]

Hi I am interested in learning more about the following suggestions:

3) Just like an Exploitable Kernel, an exploitable suid'd program could contain vulnerabilities/security loopholes within its source code thus allowing an attack to take advantage of it, and gaining unauthorized access to a system.

What I have read so far on this (thank you for bringing me onto it!) is that this is really only ever going to be a realistic opportunity where you are in a bulky corporate or personal network where third party programs have dropped miscrient SUID'd programs unchecked by admins- the standard linux distro apps are clearly going to be 99% bug free.

For my purposes of hacking the server a website is hosted on makes this not really a high chance of success, and thats before getting into the actual shell coding!

4) Writable home directories, if your system or webserver has a writable directory, anyone can save or even execute malicious files, which could potentially give them access to a system. Make sure home directories only have read or no access at all to the public. This will improve the security of the system as well.

Lets say I have access to: /var/www/www.website.com/htdocs/

Can you elaborate from there? How could malicious files give root access from here?

Edited December 17, 2011 by fapafap

[digip]

Lets say I have access to: /var/www/www.website.com/htdocs/

Can you elaborate from there? How could malicious files give root access from here?

If you have read and write access to any part of the web side, and say they have PHP or MySQL installed, you could upload a reverse shell to peer into the rest of the server, possibly gain root access, depending on how the Host set up the web server, and what user level things run at. SQLi is also a target, since gaining access to the database, could potentially yield admin passwords for the site, then lead to further login and escalation of privileges through upload of tools to root the server. Mind you, all of this is detectable, but depending on how they secure the site, you could also clean up after yourself, wipe syslogs, access logs, backdoor the server with new accounts and chattr your files so they can't be removed even as root unless a smart enough admin bothers to lsattr the files to see what their attributes are.

[fapafap]

If you have read and write access to any part of the web side, and say they have PHP or MySQL installed, you could upload a reverse shell to peer into the rest of the server, possibly gain root access, depending on how the Host set up the web server, and what user level things run at. SQLi is also a target, since gaining access to the database, could potentially yield admin passwords for the site, then lead to further login and escalation of privileges through upload of tools to root the server. Mind you, all of this is detectable, but depending on how they secure the site, you could also clean up after yourself, wipe syslogs, access logs, backdoor the server with new accounts and chattr your files so they can't be removed even as root unless a smart enough admin bothers to lsattr the files to see what their attributes are.

Hi already have a shell up and it is under wwwdata user. Permissions all seem to be standard throughout the server. There are no SQLi vulns as far as i am aware- it is a drupal based site fully patched up.

[digip]

Whatever you do, obviously, is on you and this is all for educational purposes. It kind of goes without saying, we don't condone hacking machines that aren't your own, so I won't preach too much, but its all on you if anything happens.

Hi already have a shell up and it is under wwwdata user. Permissions all seem to be standard throughout the server. There are no SQLi vulns as far as i am aware- it is a drupal based site fully patched up.

If the context of everything is as www-data, then you pretty much only have control of the web site and where the files are stored for the www area. This could be leveraged to gain root access if you can somehow get the admin passwords from drupal(if they are the same as for the servers root as well, which most likely won't be the same). Although, if PHP can issue SYSTEM level SHELL commands, you might be able to just create a new root user from there. If not, try to do a directory traversal to see if you can go higher than the home directory, or even see other directories by calling them manually if navigation doesn't work by going up one level, like calling / or /var /bin /etc directly. Most of these directories should be off limits, but if one of them is readable like say /etc might be able to dump the plain text of /etc/passwd (without hashses) to get a list of user names to brute force. All in how you want to work it. Even issuing shell commands, like uname -a to get the kernel info in use, search for installed software and their version numbers, all to see if there are exploits for them against the server itself.

[fapafap]

Whatever you do, obviously, is on you and this is all for educational purposes. It kind of goes without saying, we don't condone hacking machines that aren't your own, so I won't preach too much, but its all on you if anything happens.

If the context of everything is as www-data, then you pretty much only have control of the web site and where the files are stored for the www area. This could be leveraged to gain root access if you can somehow get the admin passwords from drupal(if they are the same as for the servers root as well, which most likely won't be the same). Although, if PHP can issue SYSTEM level SHELL commands, you might be able to just create a new root user from there. If not, try to do a directory traversal to see if you can go higher than the home directory, or even see other directories by calling them manually if navigation doesn't work by going up one level, like calling / or /var /bin /etc directly. Most of these directories should be off limits, but if one of them is readable like say /etc might be able to dump the plain text of /etc/passwd (without hashses) to get a list of user names to brute force. All in how you want to work it. Even issuing shell commands, like uname -a to get the kernel info in use, search for installed software and their version numbers, all to see if there are exploits for them against the server itself.

Thanks for replying- n.b noted disclaimer, all this is for learning, and of course anyone hacking does so at their own risk.

I traversed right back to root directory- most directories are readable, none lower than the var/www are writeable. I did a search for all SUID programs and they are all in user/bin which are root group. The etc/password file is off limits, I can call some restricted commands such as uname -a, and safe mode is off. I haven't found anything other than an open var/mail file which give me insight into the admins username, but agreed its probably not going to be the same username/password for the FTP/SSH- just based on what I have leared about drupal so far since that installation comes later than setting up your apache etc.. Have we exhausted all of the possibilities?

[digip]

Disclaimer: I am not a pentester, I don't claim to know everything, and have no real world experience breaking into and rooting others servers, but I know enough to know I don't know everything and enough that I keep myself out of trouble.

Have we exhausted all of the possibilities?

If you haven't gained root, then no, you probably haven't exhausted all resources. Yet... Just depends on your knowledge and skill set. You could look at the drupal installation for the config file, find the database user and password, upload a php script to then dump the database and hashes to your browser, crack the passwords, look for admin email in drupal, then either crack the hash, or if too secure(might be salted, although you should be able to find the salt as well to use with online crackers) just spear phish the admin with some email to target them, hope you can social engineer them into clicking something, then compromise the admin, do more research from there. If you can look at the access logs, you can see who(by IP address, browser info, OS, etc) and what they are accessing, like specific pages - logging into admin only areas.

I would say nothing is impossible, just a matter of whether or not you've tried things that no one else has thought of or done more recon to know your targets. I'm not a pentester, and I don't even know how to use half the tools installed in backtrack, nor do I hardly ever use it other than testing in VM's at home(something I really need to use more). Most vulns I've found have been from just poking around client side in the browser and working from there to see what I can find(dumping databases, persistent xss, read and write to the web server, ftp, ssh, etc) and if I find something I can get into or vulns that could take down the sites, I generally contact the admin and let them know what flaws I've found. Sometimes, the servers are already compromised by someone else, and its a matter of finding their left overs and then getting in through the backdoor they left in place.

Edited December 19, 2011 by digip

[fapafap]

Disclaimer: I am not a pentester, I don't claim to know everything, and have no real world experience breaking into and rooting others servers, but I know enough to know I don't know everything and enough that I keep myself out of trouble.

If you haven't gained root, then no, you probably haven't exhausted all resources. Yet... Just depends on your knowledge and skill set. You could look at the drupal installation for the config file, find the database user and password, upload a php script to then dump the database and hashes to your browser, crack the passwords, look for admin email in drupal, then either crack the hash, or if too secure(might be salted, although you should be able to find the salt as well to use with online crackers) just spear phish the admin with some email to target them, hope you can social engineer them into clicking something, then compromise the admin, do more research from there. If you can look at the access logs, you can see who(by IP address, browser info, OS, etc) and what they are accessing, like specific pages - logging into admin only areas.

I would say nothing is impossible, just a matter of whether or not you've tried things that no one else has thought of or done more recon to know your targets. I'm not a pentester, and I don't even know how to use half the tools installed in backtrack, nor do I hardly ever use it other than testing in VM's at home(something I really need to use more). Most vulns I've found have been from just poking around client side in the browser and working from there to see what I can find(dumping databases, persistent xss, read and write to the web server, ftp, ssh, etc) and if I find something I can get into or vulns that could take down the sites, I generally contact the admin and let them know what flaws I've found. Sometimes, the servers are already compromised by someone else, and its a matter of finding their left overs and then getting in through the backdoor they left in place.

Thanks for your insights. I found a suid'd binary this afternoon which is root/root ------other:rwx :) I feel the net is closing in tonight! Thanks again.