+---------------------------------------------------------------------------+
 :PHAphaPHAphaPHAphaPHAphaPHAphaPHAphaPHAphaPHAphaPHAphaPHAphaPHAphaPHAphaPHA:
 :pha+-------------------------------------------------------------------+pha:
 :PHA:             Phreakers/Hackers/Anarchists Present:                 :PHA:
 :pha:  =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=  :pha:
 :PHA:  +=+      Gaining Better Access On Any Unix System           +=+  :PHA:
 :pha:  =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=  :pha:
 :PHA:  Written By Doctor Dissector ([email protected]) UPDT: 1/8/91  :PHA:
 :pha+-------------------------------------------------------------------+pha:
 :PHAphaPHAphaPHAphaPHAphaPHAphaPHAphaPHAphaPHAphaPHAphaPHAphaPHAphaPHAphaPHA:
 +---------------------------------------------------------------------------+

+-----------------------------------------------------------------------------+
:=[ Disclaimer ]==============================================================:
+-----------------------------------------------------------------------------+

The author and the sponsor group Phreakers/Hackers/Anarchists will not be held
    responsible for any actions done by anyone reading this material before,
    during, and after exposure to this document. This document has been
    released under the notion that the material presented herin is for
    informational purposes only, and that neither the author nor the group
    P/H/A encourage the use of this information for any type of illegal
    purpose. Thank you.


+-----------------------------------------------------------------------------+
:=[ Introduction ]============================================================:
+-----------------------------------------------------------------------------+

Hello there again. Well, I just recently started getting back into the hacking
    mode of things, and decided to throw together a quick-reference type of
    deal on how to get better access on any unix driven system. Unix, in my
    opinion is the best operating system out today for all-purpose use, and
    is probably the most widely used operating system currently in use as
    well. Anyway, the ideas in this document are probably far from original,
    but are re-stated together in order to help devise new strategies for
    cracking unix. Also note that this is not for novices, I will constantly
    refer back to topics which are generally well known throughout unix
    users, so don't expect me to elaborate. Enjoy...

+-----------------------------------------------------------------------------+
:=[ General Unix Hints ]======================================================:
+-----------------------------------------------------------------------------+

1. If you have write priv's to a directory but don't have write priv's to a
    file in that directory, copy the file over to another directory, delete
    the original file, modify your copy of the file to your tastes, and
    recopy it back into the original directory. Example:

        cp /canthack/cantwriteme /usr/mydir/gnuversion
        rm /canthack/cantwriteme
        mv /usr/mydir/gnuversion /usr/mydir/cantwriteme
        cat /bin/sh > /usr/mydir/cantwriteme
        cp /usr/mydir/cantwriteme /canthack

2. If you have read access to a file but can't copy it due to directory read
    restrictions, you can still cat it into another file in another directory.
    Example: "cat cantcopyme > /usr/mydir/IcopiedYOU!".

3. Always touch files up after you modify them so the date/time stamp is
    the same/close to what it was before you modified it. This is done by
    using the command "touch HHmmMMdd " where HH=hour, mm=minute,
    MM=month, and dd=day.

+-----------------------------------------------------------------------------+
:=[ Gaining Better Access On A Unix ]=========================================:
+-----------------------------------------------------------------------------+

1. Grab /etc/passwd, you might be able to get an account that will put you in
    a better position using password crackers; just having the list of users
    puts you ahead if the password file is shadowed.

3. Use the command:

    find / -perm -4000 -exec /bin/ls -lad {} ";"

    It will show you all files with the UID bit set. You can then attempt to
    create a shell with root/another user's uid priv's or modify them,
    depending on what file priv's are set on them.

3. Check for write priv's to /usr/lib directory and /usr/lib/crontab file.
    The /usr/lib/crontab file will execute certain commands at specific
    times under the uid of root. If you don't know much about this file, I
    advise you to stay away from it.

4. Check for write priv's to /usr/spool/crontabs directory and any crontab
    files in that directory; since these scripts are run under the uid bit
    of each listed user, if you could edit the root or other important
    user's cron script, you might put yourself in a better position.

5. Check for write priv's to scripts/programs executed BY the /usr/lib/crontab
    script or the scripts in /usr/spool/crontabs directory. If you could
    modify a program/script used by these cron scripts (backdoor... eh?)
    you could easily better your position on the system.

6. Check for write priv's to /bin, /usr/bin, /etc, /usr/lib, and any other
    important directories with binaries or scripts owned by root or other
    imporant users on the system, or just plain used a heck of a lot by
    the users on a particular system. You might be able to modify certain
    files (backdoors, etc) in order to better your position on the system.

7. Use a trojan. Some unix systems have faults in that a user who hangs up in
    the middle of a connection will not be logged out of the system, and the
    next person to log onto the system under the same tty will be placed into
    that user's shell. You can create a trojan program simulating normal
    login (many have been described by Shooting Shark and others) to gain
    passwords (possibly root if you are REALLY REALLY lucky) to the system.

8. Read a terminal device (/dev/ttyXXX) using the "cat /dev/ttyXXX" command,
    which requires you to own a uid shell of the current user on that ttyXXX,
    but could be useful in gaining more accounts. The Prophet also had an
    idea where you would read the ttyXXX until the superuser (using a
    differnet account) would login, and then you would send him a write
    message saying something like "I'm Gonna Format Your Winchesters!!!"
    (as The Prophet would say it...), you could watch him su over to the
    root account in order to boot you off the system; meanwhile, you are
    watching him type in the password and all for the su, and you now have
    root.

+-----------------------------------------------------------------------------+
:=[ Appendix ]================================================================:
+-----------------------------------------------------------------------------+

1. The following is a paritial listing of some programs/scripts under the unix
    operating environment that generally (if not always) have the root
    superuser uid bit set on them.

    /bin/chfn                          /bin/chhd
    /bin/chsh                          /bin/mail
    /bin/passwd                        /bin/rcp
    /bin/su                            /usr/lib/lpd
    /usr/lib/sendmail                  /com/sigp
    /com/xsubs                         /etc/find_orphans
    /etc/lpc                           /etc/lprotect
    /etc/ping                          /etc/salacl
    /etc/suid_exec                     /etc/syncids
    /etc/timedc                        /sys/net/netman
    /sys/vtserver                      /usr/bin/login
    /usr/bin/tb

+-----------------------------------------------------------------------------+
:=[ Conclusion & Credits ]====================================================:
+-----------------------------------------------------------------------------+

Well, that's pretty much it. I doubt that is even close to all the ideas a
    great deal of people can come up with for gaining better access to any
    given unix system, but it is a start. I'd also like to give credit to
    So76 for getting this list started and The Prophet for his excellent
    information in "Unix Use And Security From The Ground Up" textfile,
    great stuff. Till next tyme....
                                                    dd/pha

+-----------------------------------------------------------------------------+
:=[ Greets & Messages ]=======================================================:
+-----------------------------------------------------------------------------+

To all the network hackers out there: Keep up the good work.

Yo! To Kryptic Night, PhantasMumble, Pain Hertz, Doc Holiday, Black Death,
    Killer Korean, M.I.T., Anonymous Anarchist, Brownstone, and anyone else
    I might have forgotten!

+-----------------------------------------------------------------------------+
:=======>> Unholy Temple EEE-light! PHA-HQ/NIA/PHRACK - 000-PRI-VATE <<=======:
+-----------------------------------------------------------------------------+
         "The future is forever..." + "The future is NOW!" - KL/PHRACK