A difficult journey to penetrate a space Server

Text/figure by ICE (still) from: http://www.xiutai.com/

Repost a biased article from a good friend and post it with an XFile

Recently, I acted as a sales representative for a space server, mainly responsible for space sales. The Space Provider was very confident in his server and said that the average person could not break through his server, even if a virtual machine is uploaded to webshell, it will not affect other virtual directory customers, that is, there is no cross-site intrusion. At that time, I was just "oh. If you have nothing to worry about today, let's take a look at how safe his server is. Anyway, I am just a common person. It doesn't matter if you do not break the attack. ^_^!

1. Get server information and imagine the idea of intrusion

First, let's take a look at the services he has opened, and take out a scanner to scan which services he has opened. Set the port range to 1-6000. In a short time, I will finish scanning (1, only web, FTP, and MySQL are enabled. The last port 5921 does not know what it is. The web is built with iis5.0, and it should be Win2000 and SP4. No matter how many MySQL connections, try MySQL with a weak password and use the MySQL Connection Tool of the cattle family. The IP address is 61. XX. xxx. XXX: the user is root, and the password is empty. Click start to connect and press the button. As expected, the connection failed and MySQL was not connected through Telnet, I don't know what version it is, but I heard from the Space vendors that it is the latest version. There is no overflow. It is likely that a strong password is added, and brute force cracking is useless. It seems that I cannot start with MySQL, SERV-U is also the latest version, no overflow, even if there is overflow also need to get ftp user and password. Not to mention IIS, the patches must be installed, and WebDAV overflow will not occur. In fact, another method is to create a user and password dictionary and load it to X-scan or other scanning tools for a wide range of FTP weak password scans, But I know, now his server is just built, and there are not many customers in it. This is part of everyone's haystack, so he will not do these fearless jobs. Now, the most practical thing is to create a webshell in a virtual space on the server, and then improve the permissions.

Ii. Difficulties after obtaining webshell

First, let's see how many domain names are bound to his server, and then find a website with injection to upload webshell. In this case, enter the IP address of the server in the virtual host Site query tool of Guilin veterans, and click "Domain Name quantity". The result will be displayed in a short time (2 ), dizzy, there are eight international domain names. It seems that the second-level domain names in the trial space cannot be displayed, but they can be searched one by one, so they opened a webpage casually, I took a look at it. I used dvbbs7.0, But I didn't even play SP2, And I didn't beautify it. Hey, it looks like a space user is testing a space, so I uploaded a dvbbs casually, check if he has changed the default password and user. enter Admin in the user name and set the password to admin888. Then, log on to the system. Haha, I didn't expect it to come in. Check if the background password has been changed, input _ index. ASP "target = _ blank> quit (3), which may be the admin Admin Administrator permissions. It seems that only webshell is obtained through the dvbbs vulnerability. Hey, he didn't play SP2, and he should not make up the well-known bugs of dvbbs. For convenience, I will try using the dvbbs Upload Vulnerability, upload a webshell. Here I use the vulnerability exploitation tool of Guilin veterans and fill in the upfile in the submission address. ASP file address, usually in/upfile. ASP: Change the default file name in the upload path. If iis5.0 is used on the server, select "HTTP/1.0" in the Protocol version. If iis6.0 is used, select "HTTP/1.1" and click "Browse" to find the file you want to upload. You do not need to change any other file. Then Click Upload File button. Haha, it was really successful (4), but it was too early to use any command in webshell. Isn't FSO supported? It's impossible. I can use the forum. How can I not support FSO? It seems that the BT permission must be configured. The webshell function is too small. I still need to upload a Marine ASP Trojan to see if it's okay not to upload it, after uploading the file to my next hop, I did not respond to any commands on the FSO-free page. This is not only because I cannot even see the contents of the local directory on the FSO support page (5 ), c, D, and E disks cannot be accessed. I am a bit skeptical about whether the space actually supports the FSO component, not to mention cross-site intrusion. It is not easy to change anything in my own virtual directory (because I cannot see the files and paths in the directory ), it seems that there is really no hope. We can only say that the Space Provider is too Bt. To be honest, such servers in China are really rare. Just give up? I feel a little unwilling to continue the penetration? How can this problem be solved? When I look at the table, it will soon be, because the school will limit the power of the dormitory from to, and only one fluorescent lamp can be opened. I don't want to burn the CPU. Isn't it a loss of money? Let's talk about it tomorrow. So I went to bed with my computer and had a good dream that night. I dreamed that I had obtained the highest server permission ^ _ ^, so I felt very confident when I got up early the next day, I feel that I can break through the permissions. I started the machine and went to QQ. I received an ASP Trojan horse in a group on QQ. I found it was an ASP webmaster's assistant 6.0, and it was also a work of Guilin veterans. I suddenly thought that the ocean ASP Trojan could not work, uploading the ASP webmaster assistant 6.0 may be better, so I uploaded the ASP webmaster assistant 6.0 with a try. I did not expect it to be better than the ocean ASP Trojan, at least you can see the files and directories in the current directory. Try to see if you have the permission to delete the files in this virtual directory (6). It is so dizzy that you have no permission to delete the files, after my tests, I can only add and modify files, and only operate in my own virtual directory. For example, the path of my current virtual directory is E:/web/AAA, you can only access the files in the AAA directory, and you do not have the permission to browse the Web directory. This is not limited to the fact that you do not have the permission to execute the files in your own virtual directory, that is to say, you cannot use webshell to execute the uploaded files, so that even if you upload a local overflow program in your own virtual directory, it cannot be executed.

Iii. Find Breakthrough points

I didn't expect the IIS permission configuration to be so Bt. Now the only way is to find a directory that can be executed and write files, but the permission configuration is so BT, it is really difficult to find such a directory, maybe none, but in general C:/winnt I want to be able to access and browse the Directory and files in it, because iis5.0's Internet guest accounts generally have the guests permission, while the WINNT directory gives the guests permission to read, run, and list folder directories, that is, they cannot write data. If the WINNT directory does not grant this permission, some services in the system cannot run normally, so we should look for a breakthrough point in C:/WINNT, that is, there may be a directory that can be written, first try to read files, enter "C:/winnt" (7) in the "Address Bar" of the ASP webmaster assistant. You can view files and folders, that is, you cannot write files, now you need to find a directory that can be written and executed, and then upload a local overflow program to obtain the Administrator permission for local overflow. However, there are so many folders in the WINNT directory. How can I find them? When can I find them one by one? After a bit of meditation, I suddenly thought that the IIS folder, that is, will there be such a directory in the C:/winnt/system32/inetsrv directory? Because the Internet Guest Account of IIS is likely to call some files in the inetsrv directory or load files, this requires that you have the write permission, so you can immediately access C: the/winnt/system32/inetsrv directory contains a data directory, so I tried to create a file in it, in the ASP webmaster assistant, click "new text" on the left to upload the notebook to the C:/winnt/system32/inetsrv/data directory, and then click "command line module" on the left ", enter C:/winnt/system32/inetsrv/data/example in the "shell path:" at the bottom to run the command, while cmd.exe of C:/winnt/system32/has no execution permission. Restrictions: Bt Space Provider canceled the permission of the guest user. after entering the permission, enter the ipconfig/all command on the "execute" button to see if the command can be executed (9). Haha, it was a success, and suddenly the dawn of victory was shining in front of me.
4. Improve permissions and fix bugs

I want to raise the permission now, but I heard from the Space Provider that he has completed all the local overflow vulnerabilities in SP4, and even some new ones have been completed recently, so I am not here to do these useless things a waste of time, with social engineering feel unnecessary, by the way, try the SERV-U of the Local Privilege Escalation tool, with my hunch should be OK, because I heard that the SERV-U5.2 user and password still haven't changed, should there be such a vulnerability? Okay, nonsense not much said, to try, with ASP webmaster assistant upload SERV-U That overflow program, upload to the data directory, and then overflow, the command is: serv-U "command to be executed". For example, if you want to create a Yibing user, enter Serv-U "Net user Yibing/Add" quit, I found that port 5921 is the port of the terminal. Due to space reasons, I will no longer connect to the terminal. after entering the terminal, I created a TXT file on the Administrator's desktop, I wrote a few words and woke up.
Now I have obtained the administrator privilege. Because it is my own server, I will fix these two bugs. First, I will set C: /winnt/system32/inetsrv/data can be deleted from the everyone directory, so that the file cannot be written. The everyone permission means that all users only need to add this permission, whether it's administrative or guests permissions, are included in the Everyone permissions, and then is to fix the SERV-U bug, here I am using a tool developed in the hidden whale pavilion, the usage is very simple, click "select" and select the directory where the SERV-U is located, and then change the fatal port in the first line "Management port, in the following "management account" to change the administrator user in the SERV-U, here to pay attention to, the length must be 18 characters, if the password is too long or too short, an unexpected error may occur. The following "management password" should also be changed. The length must be 14 characters, after filling in the modified content, click the "modify" button below. If the modification is successful, a dialog box is displayed, Be sure to switch off all the processes and services of the SERV-U before modifying it!

V. Summary

According to the ice test, through this method intrusion, I overnight to deal with four space servers, basically iis5.0 + SERV-U, there is a webshell can be done, because this is the default configuration permission of Win2000 and is in the system directory, there is generally no administrator to configure it. I hope you will pay more attention to network security in China. Well, come here. If you have any errors or do not understand in this article, please visit the official XFile forum to discuss with me. (Related programs have been included)