Remote root from ftp

**jackabee** · 06-19-2008, 04:54 PM

Hi
I am doing a pen-test on one of my machines. I pretended I managed to get an unprivileged users password (e.g. from an sql injection attack) and im wondering now if its possible to get a remote root shell from this.

I thought maybe I could upload netcat and change my .bashrc to start a shell when I next log in, but this wouldn't be much use as its an unprivileged user

Any ideas?

**bluster** · 06-19-2008, 06:53 PM

I'm not a hacker or cracker or what they call it, but..Reading your post subject and
post i understand that you have server instaled in your "victim" machine (you are talking about sql inj and ftp stuff). You can analize your server applications or files, get apps versions,analize source code, see if there are some bugs for buffer or stack overflow or another vulnerabilities. Check if your "user" is privileged to inserts modules, if so then you can write some setgid and setuid hooking modules. If it is server(i understand it is), try to use php sockets to get yourself remote dynamic shell. There is a lot of stuff you can do. Bashrc will not help you with anything

Can you handle it? And if its not your serv just leave it alone, my advice

**jackabee** · 06-20-2008, 07:03 AM

Thanks for the reply,
I can manage to get app versions etc, and since I know the directory structure I would be able to get source code as well. Unfortunately though, my programming skills are limited to visual basic (lol) so analyzing code and writing modules is an unknown area for me.

You talk about using php sockets to create a shell. How would I go about doing that? I don't mind doing some research because that helps me learn but I wouldn't know where to start.

**opreat0r** · 06-20-2008, 02:50 PM

if you have a shell on the system you can try local privilege escalations ( mostly old lib's or kernels )

what you are looking for is old versions of software installed as root on the system that are vuln ..

check to uid's http://rmccurdy.com/scripts/find_setuid.txt

php shells you can download by the millions... c99shell r57 ..

**jackabee** · 06-20-2008, 05:57 PM

Thanks for the help guys I think this has pointed me in the right direction.

**hexbase** · 06-22-2008, 05:50 PM

Here are some shells i've found. Php and ASP shells are included.

Total shells: ~50

Link: h-ttp://rapidshare.com/files/124333843/SHELLS-Superpack-PW_-1234.7z.html

Delete the "-" to get a functional link.

**jackabee** · 06-23-2008, 09:39 AM

Cheers dude

BackTrack Linux - Penetration Testing Distribution

Thread: Remote root from ftp

Thread Tools

Search Thread

Display

Remote root from ftp

shell

Posting Permissions