+---------------------------------------------------------------------------+ :PHAphaPHAphaPHAphaPHAphaPHAphaPHAphaPHAphaPHAphaPHAphaPHAphaPHAphaPHAphaPHA: :pha+-------------------------------------------------------------------+pha: :PHA: Phreakers/Hackers/Anarchists Present: :PHA: :pha: =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= :pha: :PHA: +=+ Gaining Better Access On Any Unix System +=+ :PHA: :pha: =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= :pha: :PHA: Written By Doctor Dissector ([email protected]) UPDT: 1/8/91 :PHA: :pha+-------------------------------------------------------------------+pha: :PHAphaPHAphaPHAphaPHAphaPHAphaPHAphaPHAphaPHAphaPHAphaPHAphaPHAphaPHAphaPHA: +---------------------------------------------------------------------------+ +-----------------------------------------------------------------------------+ :=[ Disclaimer ]==============================================================: +-----------------------------------------------------------------------------+ The author and the sponsor group Phreakers/Hackers/Anarchists will not be held responsible for any actions done by anyone reading this material before, during, and after exposure to this document. This document has been released under the notion that the material presented herin is for informational purposes only, and that neither the author nor the group P/H/A encourage the use of this information for any type of illegal purpose. Thank you. +-----------------------------------------------------------------------------+ :=[ Introduction ]============================================================: +-----------------------------------------------------------------------------+ Hello there again. Well, I just recently started getting back into the hacking mode of things, and decided to throw together a quick-reference type of deal on how to get better access on any unix driven system. Unix, in my opinion is the best operating system out today for all-purpose use, and is probably the most widely used operating system currently in use as well. Anyway, the ideas in this document are probably far from original, but are re-stated together in order to help devise new strategies for cracking unix. Also note that this is not for novices, I will constantly refer back to topics which are generally well known throughout unix users, so don't expect me to elaborate. Enjoy... +-----------------------------------------------------------------------------+ :=[ General Unix Hints ]======================================================: +-----------------------------------------------------------------------------+ 1. If you have write priv's to a directory but don't have write priv's to a file in that directory, copy the file over to another directory, delete the original file, modify your copy of the file to your tastes, and recopy it back into the original directory. Example: cp /canthack/cantwriteme /usr/mydir/gnuversion rm /canthack/cantwriteme mv /usr/mydir/gnuversion /usr/mydir/cantwriteme cat /bin/sh > /usr/mydir/cantwriteme cp /usr/mydir/cantwriteme /canthack 2. If you have read access to a file but can't copy it due to directory read restrictions, you can still cat it into another file in another directory. Example: "cat cantcopyme > /usr/mydir/IcopiedYOU!". 3. Always touch files up after you modify them so the date/time stamp is the same/close to what it was before you modified it. This is done by using the command "touch HHmmMMdd" where HH=hour, mm=minute, MM=month, and dd=day. +-----------------------------------------------------------------------------+ :=[ Gaining Better Access On A Unix ]=========================================: +-----------------------------------------------------------------------------+ 1. Grab /etc/passwd, you might be able to get an account that will put you in a better position using password crackers; just having the list of users puts you ahead if the password file is shadowed. 3. Use the command: find / -perm -4000 -exec /bin/ls -lad {} ";" It will show you all files with the UID bit set. You can then attempt to create a shell with root/another user's uid priv's or modify them, depending on what file priv's are set on them. 3. Check for write priv's to /usr/lib directory and /usr/lib/crontab file. The /usr/lib/crontab file will execute certain commands at specific times under the uid of root. If you don't know much about this file, I advise you to stay away from it. 4. Check for write priv's to /usr/spool/crontabs directory and any crontab files in that directory; since these scripts are run under the uid bit of each listed user, if you could edit the root or other important user's cron script, you might put yourself in a better position. 5. Check for write priv's to scripts/programs executed BY the /usr/lib/crontab script or the scripts in /usr/spool/crontabs directory. If you could modify a program/script used by these cron scripts (backdoor... eh?) you could easily better your position on the system. 6. Check for write priv's to /bin, /usr/bin, /etc, /usr/lib, and any other important directories with binaries or scripts owned by root or other imporant users on the system, or just plain used a heck of a lot by the users on a particular system. You might be able to modify certain files (backdoors, etc) in order to better your position on the system. 7. Use a trojan. Some unix systems have faults in that a user who hangs up in the middle of a connection will not be logged out of the system, and the next person to log onto the system under the same tty will be placed into that user's shell. You can create a trojan program simulating normal login (many have been described by Shooting Shark and others) to gain passwords (possibly root if you are REALLY REALLY lucky) to the system. 8. Read a terminal device (/dev/ttyXXX) using the "cat /dev/ttyXXX" command, which requires you to own a uid shell of the current user on that ttyXXX, but could be useful in gaining more accounts. The Prophet also had an idea where you would read the ttyXXX until the superuser (using a differnet account) would login, and then you would send him a write message saying something like "I'm Gonna Format Your Winchesters!!!" (as The Prophet would say it...), you could watch him su over to the root account in order to boot you off the system; meanwhile, you are watching him type in the password and all for the su, and you now have root. +-----------------------------------------------------------------------------+ :=[ Appendix ]================================================================: +-----------------------------------------------------------------------------+ 1. The following is a paritial listing of some programs/scripts under the unix operating environment that generally (if not always) have the root superuser uid bit set on them. /bin/chfn /bin/chhd /bin/chsh /bin/mail /bin/passwd /bin/rcp /bin/su /usr/lib/lpd /usr/lib/sendmail /com/sigp /com/xsubs /etc/find_orphans /etc/lpc /etc/lprotect /etc/ping /etc/salacl /etc/suid_exec /etc/syncids /etc/timedc /sys/net/netman /sys/vtserver /usr/bin/login /usr/bin/tb +-----------------------------------------------------------------------------+ :=[ Conclusion & Credits ]====================================================: +-----------------------------------------------------------------------------+ Well, that's pretty much it. I doubt that is even close to all the ideas a great deal of people can come up with for gaining better access to any given unix system, but it is a start. I'd also like to give credit to So76 for getting this list started and The Prophet for his excellent information in "Unix Use And Security From The Ground Up" textfile, great stuff. Till next tyme.... dd/pha +-----------------------------------------------------------------------------+ :=[ Greets & Messages ]=======================================================: +-----------------------------------------------------------------------------+ To all the network hackers out there: Keep up the good work. Yo! To Kryptic Night, PhantasMumble, Pain Hertz, Doc Holiday, Black Death, Killer Korean, M.I.T., Anonymous Anarchist, Brownstone, and anyone else I might have forgotten! +-----------------------------------------------------------------------------+ :=======>> Unholy Temple EEE-light! PHA-HQ/NIA/PHRACK - 000-PRI-VATE <<=======: +-----------------------------------------------------------------------------+ "The future is forever..." + "The future is NOW!" - KL/PHRACK