Rooting With your eyes

The highest access you can gain on any *nix based operating system is
root. On this account you can do many things that you cant with any
other account! In this tutorial i will explain how to gain access to
this account by just using your eyes.

The biggest weakness in any system is the stupid bugger that is running
it. They are prone to write things down that they should not, use the
same password for everything and configure things wrong.
So keeping that in mind lets look around the server.

You are looking for things such as mysql connection scripts. These are named things like config.php , configure.php , db.php and db_connect.php. Look at these and they will usualy have the connection details to that users mysql account!

If this is a hosting company you are not really that interested
in the many users that only have minimal permissions over there own
sites you are interested in the webhosts site.

So execure the comand “cat /etc/passwd” (without the quotes) and then look for an entry with normally the first eight letters of the hosting company’s domain. then with your shell navigate to there directory. Then go to there site and
have a look around. There will most probably be an automatic account
creation script or controlpanel login script on there main site.

You will need to make note of the directory that the script is in and then
go back to your shell. Now navigate to the directory and look for files
that may contain details to the hosting database. If the server owner is
as stupid as they come this will be the connection details for root
mysql which means you have control over all databases on the server if
not you can just connect to the the accounts database.

If the server owner is stupid the passwords will be stored in plain text. This means
that you have access to all accounts on the server! Now on with the
rooting, we need to find the admin’s password if it is stored in the
database with the accounts in that is us done just login through the
control panel and you got root cp on the server.

There are different approaches if the host is not setup like this! Most
hosts have support forums these days and all main
stream forums software saves the database password in plain text so we
can be sure we will be able to connect to that. If they are using phpbb
which many are hashes are unsalted which means you can use any regular
md5 cracker to gain the plain text of the hash.

Now download putty if you are on windows or if you are in linux use ssh -l root and try the password that he uses on the forums. If you can’t crack it or it is not he same next we have to look arround again. Most hosts like to backup
there stuff so that if things go wrong they can restore what they have.
Well to do this scripts need passwords so look for mysql and ftp backup
scripts and test the passwords they contain.

If all this fails you have one last ace in your hand. Social enjiering! This can be done many ways and I am not going to explain it now but all im going to say is that in your travels arrount his server you should have gained alot of
information about him so try out different things such as emailing other
members of the team from a fake mailer saying that he is going away and
and needs the password to his account on the control panel sent to his
private email address and so on.

I would tell you about local root exploitation but then that would not be using
your eyes would it!

If all this fails go look for another server!

Article written by AUTHOR_NAME