May the "R00t" be with you...

Today, there are a lot of open source tools like numerators. I think they are awesome projects. They inspired me to write this tool, but all of them, they have one main goal. Too much output on the screen. So if you are confused when you try to find the vulnerability, the possibilities to find it are very low. Rootend is an open source Python enumerator tool. It specifies for configuration vulnerabilities, not on kernel exploits or outdated software. It uses category modes, I will explain later. It tries to do bit-to-point exploitation and it uses Python 3 and Python 2. Furthermore, all dependencies are default. and we tested it to a lot of distributions like Voodoo, Debian, CentOS, Arch

Linux. Well, rootend has two modes, the auto mode and manual mode. The auto mode tries to find the vulnerability and then tries to exploit it automatically. And the manual mode, it's my favorite, tries to find the vulnerability and then tries to guide you how to gain root access. something like a tutor because you can build the mindset of a penetration tester or a CTF player. In those modes, there are some subcategories, Suite Bineries, WIC Permissions, WIC Ownership, Capabilities, PHP Configuration Files, and Dynastic Files. So let's see what are they. Suite Bineries, Root and Tri, tries to find general suite binaries, like strace. If you choose Auto mode, it will execute strace command and you will gain root access. Suites for reading files like ART,

like More, like Core, like App. Suites for creating files as root. Limited suite like Git, It's limited to it because you should know the version. Some versions are vulnerable. And custom suite binaries, you can try to find them and then you can investigate by yourself in order to find if exist vulnerability like a path environmental variable. Void permissions.

The rootend tries to find the EDC-PathWD permissions, EDC-shadow, Apache configuration file, HTTP configuration file if the victim is sent to us distribution. Redis configuration, if the victim use a Redis database and the root director. The week ownership, same objects here. In this subcategory, the rootend tries to find if a user or the group user are not default.

Capabilities, general capabilities, custom capabilities, and then capabilities with cap underscore set UID option. PHP configuration files, personally, it's my favorite section on Routent. This functionality tries to find the configuration files. For example, when you play a CTF or you do a penetration test and gain access from a web application, the first thing you try to do is to find the configuration PHP configuration file in order to find the credentials of the database and gain access to the database. So this functionality has default PHP configuration files of famous frameworks like WordPress, the WP config, like Joomla, Drupal and others, and the variety of custom PHP configuration files of my experience. I added a list with a lot of names. And interesting

files like full writable files and custom interesting hidden files. Well, let's see the demo. One minute, please.

I have some videos of Routent here. Well, in the first video, we can see that Routent uses manual mode and sweet subcategory. First of all, he tries to find some information of the victim, for example, with who user I am. type of cell i have which is the home directory and then it tries to find the industry and industry binary it finds it found the cut then guide us to run this command in order to find the private rsa and get the root access okay

The next video, we can see that route end.

Try a manual mode again, a full manual mode, and find a lot of things like interesting suite binary like strays. It wants you to run strays and take a look at and gain root access. Then found ownership mis-configuration on etc.passwd and guides you to run this command. And then you will add a new user to etc.passwd

with the following credentials, superuser password 1324. Accessing root directory,

because the permissions of root directory are weak. And found PHP configuration file with those credentials. And found another one writable file because it is the same file.

As we can see, rootend tries to find any vulnerability.

Next video, we tried to find the ownership.

Rootend uses manual mode again and weak subcategory. In this category, found that etc.passwd doesn't have the default credential. RootTense advise us to use this command. As you can see, I think, can you see this on video? Okay, we use this command and then we escalate to super user

and we are root.

as we can see. Okay, as we can see here.

My favorite functionality, Routen tries to find the credentials. It's important here because if the PHP configuration file is in a folder that we don't know and the server has a lot of files. We can run rootn and found exactly the credentials, like here. The credentials of the database is admin,

password etc.

The next video, we can see that Rootent tries auto mode with suite binaries, tries to find the invalorability on suite binaries and then open the cell as root, as you can see.

found strace and then executed.

Okay. In this video, we can see that the root tent uses manual mode with subcategory. Suite. Then tries to find a suite and then advise us to run the following command.

Okay, and we gain the

permissions, root privileges.

And then last video, we can see that the Routent uses the Auto mode with the subcategory. And we can use SuperUser and the following credentials. And again, root access again.

Okay. And we are here. So a lot of people ask me, can I use a routine on a PVEK exam? So I think you can use it, the manual mode and not the auto mode. I think, I don't think so. The manual mode, I think you can use it because it's not auto exploitation. It's an advisor how to exploit them. I know people who use the root end on a SEP exam and it was okay.

And this is okay. You can find the return here. It was a main presentation about the tool. In this version 2.0.2

is live on GitHub. I hope you like it. And last but not least, it is what it is, boys. Thank you very much. Thank you, Cypress.