Analysis of One n-point VM elevation

Lostwolf

In short, all directories that can be accessed cannot be written except for the site directory.
Support asp.net. iisspy can be used by a senior iisspy (it was an it teacher who had been selling a Space recently). If the server wants to find the sa root, it is impossible for others to teach the network ~
Through iisspy, we can see a slightly special web port 8080. It seems like it is found that a fatal vulnerability has exploded before, and we believe it is not a stranger to everyone. However, the vulnerability requires that the administrator password be obtained at n points.
Although I don't have the administrator password, I can easily get the server permission even if I don't enter it, but I still have the desire to go to the background for management, and it is still very strong... Add a few virtual spaces or something...
Since I can directly go to the n-point management platform directory, I modified a login statement and went in. It's not that fun to go blind and find it. (after I finish the exercise, I have nothing to do with it. I read it carefully and found that I can directly take server permissions instead of managing them as officially advertised. the page cannot obtain Service Permissions .) I directly used the most useful method to download the database of the n-point management platform. The sa password and root password are successfully found through the data.
Hostcs:
Passwords are specially encrypted and not common, such as: JATEA @ IOCBGMIBHDKCPCJIDNJFFCEF @ KDNFMLOOMILHL @ E

The decryption method is as follows:
<! -# Include file = "inc/conn. asp"->
<! -# Include file = "inc/siteinfo. asp"->
<! -# Include file = "inc/char. asp"->
<%
Set iishost = server. CreateObject ("npoint. host ")
X = iishost. Eduserpassword ("JATEA @ IOCBGMIBHDKCPCJIDNJFFCEF @ KDNFMLOOMILHL @ E", 0)
Response. write x
%>

Save this file to the web directory at any file ending with asp and then access

Replace the Eduserpassword with the password you need to decrypt.

With sa and root, there is no pressure to escalate permissions ~~

This decryption statement will take a look at the relevant code to understand why

This is the original statement:
If iishost. Eduserpassword ("" & rs ("FTPpass") & "", 0) <> trim (request. Form ("password") then
It means to decrypt the encrypted strings in the database and then compare them with the entered characters.

In fact, it doesn't look at the database background. Many password boxes, like sa root, are in plain text (just a detour)

Default database address: host_date/% 23 host % 20% 23% 20 date % 23.mdb