b0g!#@! Magazine

[home] [<-back] [index] [next->]



 ____________________________________________________________________
 
[ 2:. - [ getting root; the b0g way ]                    [timidu] :. ]
                                                 [timidu@b0g.org] :. ]
 ____________________________________________________________________





      BASH is fucking vulnerable .. every version of it .. the newest
exploit posted here cuz BugTraq sucks (just kidding , /me is too lame
to publish an exploit :// )
      

So kidz , wanna impress some class-mate chix0r wit y3r 31337 h4x1ng
skee1z?
Wanna show her what rewt means , still you can't hack the school
computer that's running Linux?
Well , check THIS new exploit out ( actually it's not an exploit , but
I think a script-kiddie will love it)
You only need a fucking valid account there , bash and ... oh , 2
brain cells.
Log at your shell and follow the next 6 basic steps:

1) Issue this :  
$ echo "PS1='[root@h /root]#'" ]] .bash_profile
$ echo "PATH=$HOME/bin:$PATH" ]] .bash_profile
Done? Not yet? Uhm .. man , don't fucking write the "$" . That's your
prompt :/ . Boy , are you dum....

2) Make a directory in your home directory.Call it bin .
First change to the home directory:
$ cd        
Next , do it:
$ mkdir bin
And cd to it:
$ cd bin

3) Make 2 files using a text editor.Let's say we're using pico. The
philez name SHOULD and MUST be 'whoami' and 'id'
$ pico whoami
--cut here--
#!/bin/bash
# the whoami thingie
echo root
--stop cutting--

$ pico id
--cut here--
#!/bin/bash
# the id thingiez
echo "uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)"

--stop cutting--

4) Make them executable philes. Oh , you don't know what that means ..
and yet you want root. God thank me for not letting you have the
fucking real admin rights there. So .. do this in the directory where
'id' and 'whoami' are stored (~/bin)

$ chmod +x whoami
$ chmod +x id

5) Change ,thru .bash_profile , some of the shell variables : LOGNAME
or USER ( some of the variables are read-only and i'll treat this
subject l8r)

$ echo "LOGNAME=root" ]] ~/.bash_profile
$ echo "USER=root" ]] ~/.bash_profile


6) Now logout and login. If you did what i've just told you you should
have a prompt similar to root's one. Oh ,and when you write whoami and
id it should tell that you're root. Simple , eh?

Let's say that you want to go further.There are plenty of thingz to be
done and i'll cover some of them in the second part of this
"shitlist".



I just hope that you can actually find a chick that likes leet hackers
like you. You'll just end up showing this to some weird nerd that'll
truly admire you and wink at you , and act really strange and ask you
out :.




So .. you learned how to fake your identity on a Linux machine thru 6
steps. But , heh, what if the guy you're trying to trick is smart and
he puts you to do thingz that only root can?
What can root do and a normal user can't? See below for a few neat
tricks

*** printing /etc/shadow's content ***

For this trick you need a shadow file. You can take it from your own
box (actually that's dumb if it's found out).Upload this shadow file
into the
fake-root Linux account in the ~/bin folder ( ~ means your home dir ,
you gimp!) .
Now we have to do a new k3w1 m4d r33t script. Let's fake the `cat`
command cause that's the way you view the damn /etc/shadow file.
So ..

$ cd ~/bin
Ooops .. i forgot that you just used PS1 to fake the prompt =]. I
actually
ment '# cd ~/bin' :PPPP

# cd ~/bin
# pico cat

Now paste this eleet script
--- start cutting ---
#!/bin/bash
found=0
y='/bin/cat '
for x in $*
do

if [ $x != '/etc/shadow' ]
then
y=$y' '$x
else
found=1
fi
done

if [ $found = 1 ]
then
$y $HOME/bin/shadow
else
/bin/cat $*
fi
--- stop cutting  ---
Now cat will print YOUR shadow file if you issue a `cat /etc/shadow`
and will just act normally in any other cases. You probably say :
"geez , what a lame script , i could have done it in 3 rows". Hey
motherfucker , wake up from your dreaming. Maybe your pals are
actually smarter than you.
I was safe to make my script keep the switches for example. So , if
you do a `cat -E -n /etc/shadow` or a `cat -n /etc/shadow -E` it'll
still work just fine.
Next , `chmod +x cat` so you can actually use it .. and that's it.
Have fun!


*** mounting a file system ***

Heh , i know whatcha gonna say : "mount ain't that important!!". But
goddammit , when you're not root and you can't mount a file system and
yet you try to mount it , the shell gives you that nasty output :
"only root can do that" .
Just enter you good old bin directory and make a 'mount' file.Since
you can't really fake a mounting , at least let's get rid of that
"only root.." error.
For example :
--- cut here ---
#!/bin/bash
# This iz the phile that fakes mounting.
# Name it mount and put it in ~/bin
# Don't forget to chmod it so you can run it

if [ $# = 0 ]
then
/bin/mount
exit
fi
if [ "$1" = "-V" ]
then
/bin/mount -V
elif [ "$1" = "-h" ]
then
/bin/mount -h
else
echo "only root CAN'T do that"
fi

--- stop it , man ---

Heh , lame phile and you should change that stupid "only root CAN'T do
that" thing to one of your own or something that appears more often.

There are plenty of other thingz that can be done with this PATH
trick.
For those silly newbies that don't know even the basics , if i set
PATH=my_directory:/bin:/usr/bin then the shell will first look in
my_directory to find a command/file.


Now , if you're careful enough , you can leave the impression that
you're really root on that system. Still , there are things where you
can be catched as a liar ://. For example

[root@somelamebox ~]# cd /root
bash: /root: Permission denied
[root@somelamebox ~]#

Doesn't exactly look like a root account ,eh? :/ .It's not too easy to
fake the cd command as it is an internal function of bash. You can
still set your prompt to something like PS1='[root@h /root]# '. Other
TODO thingz are :

- faking ls not to show the content of the /home/$USER/bin
- killing and starting some processes
- uhm .. i dunno, but if bob publishes this (although i don't see a
good reason that he does it) i'll continue this with more eleet ideas
;]


I'm sorry for my bad english and for some mistakes that i made (
redirect flames to /dev/null ) but i had to write it in a very short
time.
I am TOTALLY responsible for the harm that you may cause with the
ideas/scripts posted here =]
And to quote Phuck(that's the real name of Phrack) i may say that this
is for and by the lamers community ]:]
Happy faking!






b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!
b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!
b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!
b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!
b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!
[^-top] [next->]