informis
/
textfiles
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
textfiles/hacking/UNIX/betunix.txt

167 lines
9.3 KiB
Plaintext
Raw Permalink Blame History

+---------------------------------------------------------------------------+
:PHAphaPHAphaPHAphaPHAphaPHAphaPHAphaPHAphaPHAphaPHAphaPHAphaPHAphaPHAphaPHA:
:pha+-------------------------------------------------------------------+pha:
:PHA: Phreakers/Hackers/Anarchists Present: :PHA:
:pha: =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= :pha:
:PHA: +=+ Gaining Better Access On Any Unix System +=+ :PHA:
:pha: =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= :pha:
:PHA: Written By Doctor Dissector (doctord@darkside.com) UPDT: 1/8/91 :PHA:
:pha+-------------------------------------------------------------------+pha:
:PHAphaPHAphaPHAphaPHAphaPHAphaPHAphaPHAphaPHAphaPHAphaPHAphaPHAphaPHAphaPHA:
+---------------------------------------------------------------------------+
+-----------------------------------------------------------------------------+
:=[ Disclaimer ]==============================================================:
+-----------------------------------------------------------------------------+
The author and the sponsor group Phreakers/Hackers/Anarchists will not be held
responsible for any actions done by anyone reading this material before,
during, and after exposure to this document. This document has been
released under the notion that the material presented herin is for
informational purposes only, and that neither the author nor the group
P/H/A encourage the use of this information for any type of illegal
purpose. Thank you.
+-----------------------------------------------------------------------------+
:=[ Introduction ]============================================================:
+-----------------------------------------------------------------------------+
Hello there again. Well, I just recently started getting back into the hacking
mode of things, and decided to throw together a quick-reference type of
deal on how to get better access on any unix driven system. Unix, in my
opinion is the best operating system out today for all-purpose use, and
is probably the most widely used operating system currently in use as
well. Anyway, the ideas in this document are probably far from original,
but are re-stated together in order to help devise new strategies for
cracking unix. Also note that this is not for novices, I will constantly
refer back to topics which are generally well known throughout unix
users, so don't expect me to elaborate. Enjoy...
+-----------------------------------------------------------------------------+
:=[ General Unix Hints ]======================================================:
+-----------------------------------------------------------------------------+
1. If you have write priv's to a directory but don't have write priv's to a
file in that directory, copy the file over to another directory, delete
the original file, modify your copy of the file to your tastes, and
recopy it back into the original directory. Example:
cp /canthack/cantwriteme /usr/mydir/gnuversion
rm /canthack/cantwriteme
mv /usr/mydir/gnuversion /usr/mydir/cantwriteme
cat /bin/sh > /usr/mydir/cantwriteme
cp /usr/mydir/cantwriteme /canthack
2. If you have read access to a file but can't copy it due to directory read
restrictions, you can still cat it into another file in another directory.
Example: "cat cantcopyme > /usr/mydir/IcopiedYOU!".
3. Always touch files up after you modify them so the date/time stamp is
the same/close to what it was before you modified it. This is done by
using the command "touch HHmmMMdd <filename>" where HH=hour, mm=minute,
MM=month, and dd=day.
+-----------------------------------------------------------------------------+
:=[ Gaining Better Access On A Unix ]=========================================:
+-----------------------------------------------------------------------------+
1. Grab /etc/passwd, you might be able to get an account that will put you in
a better position using password crackers; just having the list of users
puts you ahead if the password file is shadowed.
3. Use the command:
find / -perm -4000 -exec /bin/ls -lad {} ";"
It will show you all files with the UID bit set. You can then attempt to
create a shell with root/another user's uid priv's or modify them,
depending on what file priv's are set on them.
3. Check for write priv's to /usr/lib directory and /usr/lib/crontab file.
The /usr/lib/crontab file will execute certain commands at specific
times under the uid of root. If you don't know much about this file, I
advise you to stay away from it.
4. Check for write priv's to /usr/spool/crontabs directory and any crontab
files in that directory; since these scripts are run under the uid bit
of each listed user, if you could edit the root or other important
user's cron script, you might put yourself in a better position.
5. Check for write priv's to scripts/programs executed BY the /usr/lib/crontab
script or the scripts in /usr/spool/crontabs directory. If you could
modify a program/script used by these cron scripts (backdoor... eh?)
you could easily better your position on the system.
6. Check for write priv's to /bin, /usr/bin, /etc, /usr/lib, and any other
important directories with binaries or scripts owned by root or other
imporant users on the system, or just plain used a heck of a lot by
the users on a particular system. You might be able to modify certain
files (backdoors, etc) in order to better your position on the system.
7. Use a trojan. Some unix systems have faults in that a user who hangs up in
the middle of a connection will not be logged out of the system, and the
next person to log onto the system under the same tty will be placed into
that user's shell. You can create a trojan program simulating normal
login (many have been described by Shooting Shark and others) to gain
passwords (possibly root if you are REALLY REALLY lucky) to the system.
8. Read a terminal device (/dev/ttyXXX) using the "cat /dev/ttyXXX" command,
which requires you to own a uid shell of the current user on that ttyXXX,
but could be useful in gaining more accounts. The Prophet also had an
idea where you would read the ttyXXX until the superuser (using a
differnet account) would login, and then you would send him a write
message saying something like "I'm Gonna Format Your Winchesters!!!"
(as The Prophet would say it...), you could watch him su over to the
root account in order to boot you off the system; meanwhile, you are
watching him type in the password and all for the su, and you now have
root.
+-----------------------------------------------------------------------------+
:=[ Appendix ]================================================================:
+-----------------------------------------------------------------------------+
1. The following is a paritial listing of some programs/scripts under the unix
operating environment that generally (if not always) have the root
superuser uid bit set on them.
/bin/chfn /bin/chhd
/bin/chsh /bin/mail
/bin/passwd /bin/rcp
/bin/su /usr/lib/lpd
/usr/lib/sendmail /com/sigp
/com/xsubs /etc/find_orphans
/etc/lpc /etc/lprotect
/etc/ping /etc/salacl
/etc/suid_exec /etc/syncids
/etc/timedc /sys/net/netman
/sys/vtserver /usr/bin/login
/usr/bin/tb
+-----------------------------------------------------------------------------+
:=[ Conclusion & Credits ]====================================================:
+-----------------------------------------------------------------------------+
Well, that's pretty much it. I doubt that is even close to all the ideas a
great deal of people can come up with for gaining better access to any
given unix system, but it is a start. I'd also like to give credit to
So76 for getting this list started and The Prophet for his excellent
information in "Unix Use And Security From The Ground Up" textfile,
great stuff. Till next tyme....
dd/pha
+-----------------------------------------------------------------------------+
:=[ Greets & Messages ]=======================================================:
+-----------------------------------------------------------------------------+
To all the network hackers out there: Keep up the good work.
Yo! To Kryptic Night, PhantasMumble, Pain Hertz, Doc Holiday, Black Death,
Killer Korean, M.I.T., Anonymous Anarchist, Brownstone, and anyone else
I might have forgotten!
+-----------------------------------------------------------------------------+
:=======>> Unholy Temple EEE-light! PHA-HQ/NIA/PHRACK - 000-PRI-VATE <<=======:
+-----------------------------------------------------------------------------+
"The future is forever..." + "The future is NOW!" - KL/PHRACK
Reference in New Issue View Git Blame Copy Permalink