search

nickola / web-console

:desktop_computer: Simple web-based shell in your browser (outdated)
https://nickola.ru/projects/web-console
1.55k stars 350 forks source link

how to become root? #6

Open alanford2015 opened 9 years ago

alanford2015 commented 9 years ago

Hi, I used username root and password but I got $ instead of #. so, I am not root, I can't even login to my /var/www folder and I can't change permissions, etc. what is purpose of webconsole if I am just a user and not admin?

I wanted to use webconsole because suddenly my vps refuse 443 port, therefore I can't use shell in a box to administrate my vps, I wanted to see what is problem.

cdpb commented 9 years ago

I'm not involved in this project but maybe I can help you anyway.

So what port is actually open? Only 80 ?

As long as you only have a stupid firewall that doesn't make something like DPI, you can use shell in a box or native ssh on every port, even port 80.

Anyway it's to clever to use webconsole on a unencrypted protocol like HTTP, I'm not sure how the transfer of data will be secured... supposable MD5 Cipher

EDIT: Line 558 say SHA256 ...

    // Authentication
    private function password_hash($password) {
        return hash('sha256', trim((string) $password));
    }
deancn commented 9 years ago

when i "su - root" , it tell me "standard in must be a tty" .....

hexmaster111 commented 9 years ago

Try "sudo -u root bash"

That should start a bash instance as the user root

markim commented 8 years ago

So in order to be able to run the "SUDO" command, you have to add the php program that is executing the commands to the sudoers files, and ask that it not be asked for a password. The ramifications of this: if an attacker is able to upload a php file to your server, they will be able to run sudo commands without a password.

First edit the sudoers file:

sudo nano /etc/sudoers

Then add the php program and specify no password at the bottom of the file

www-data ALL=(ALL) NOPASSWD: ALL

Here's an example of getting sudo to work, and showing the file above: sudo on web-console

Edit: A follow up is that this may mess with any web applications you have installed. For example I have phpbb forums installed. When I added this line, it took away www-data permissions from my /forum folder and gave me 500 errors when I tried to browse the forum. I was able to fix my forum issue by chown'ing the www-data user for the /forum folder.

jnvsor commented 7 years ago

As @markim said, the console executes as the webserver user. Adding that user to sudoers is a bad bad idea