N-point VM elevation instance

At the beginning, I knew it was a virtual host and should support php, asp, and aspx.
First, I found a FCKeditor. This FCK editor does not have a FileManager folder, So I constructed/fckeditor/editor/fckeditor.html? Toolbar = default path
Click Browse server:/admin/fckeditor/dialog/select_images.php? F = form1.imgsrc & imgick = big
Such an address is not a browser. It is estimated that the version is more advanced.
Fortunately, the server is IIS, And the webshell with the IIS parsing vulnerability will be uploaded in a effort-saving manner (this version of FCK prohibits the entry of ". ", but there are many methods to create a packet capture or a local form POST)
 



The directory is not accidentally set strictly, the Porgrams directory is readable, And the MYSQL data DIRECTORY is also in it (the MySQL data DIRECTORY may be in another directory, for example, the root directory of a disk, documents directory or 2008 Users directory)
D:/Program Files/MySQL Server 5.0/data/mysql/user. MYD
This file is read as follows:

 
Too lazy to read hash. This hash is too shit, Nima
Go to the server directly. On disk C, all the directories I can list have no access permission. Use the aspx horse to read the IIS configuration:

 
This ip Address Resolution is suspicious. Open access directly: 199.119.207.222
Is a virtual host Management System: N point virtual host Management System
 

 
Directly access the Program directory from Webshell: C:/Program Files/ndianzhuji/npointhost1.9.6/web discovery readable. This is because the directory permission is not set
Read the: C:/Program Files/ndianzhuji/npointhost1.9.6/web/inc/conn. asp file first. It is actually an access database, and it is depressing.
 
Is the default database path
 

 
Download the database to read the hostcs table (other tables I have flipped through, no useful)
In the servupath table: C: \ Serv-U, but this directory is not authorized.
Mssqlpass table content:
Response @ response @ LJKJE @ response @ J @ BH @ MILGFMGCHLKFH @ FAL @ MHB @ NNHLD @ reply @ K @ EK @ response @ GCHGHIJHI @ okmbopcpdhh @ HA @ JFMIBKDHCLJEJ @ MEFE @ @ F
Mysqlpass table content:
Principal @ KNGOBDEGLLICIFIJIGEJP @ principal @ J @ BH @ MILGFMGCHLKFH @ FAL @ MHB @ NNHLD @ OOAFLMLKBLOEAKFBKIN @ K @ EK @ principal @ AGCEB @ FJIMHKKBCHHIALI @ B
APIpass content:
KGOGKSEEZEX7C4 @ EFGNJIODO @ OOP @ FDCNJJEI @ JI @ O @ FJKOBADCF @ CJIJD @ FHHCFJLEJCLHCDK @ BKFK @ C
 
All are encrypted. to log on, you need plain text. Since plain text is reversible
Continue to the source code: if iishost. Eduserpassword ("" & rs ("mailadminpass") & "", 0) <> trim (request. Form ("password") then
No files related to the Eduserpassword function are found in the copy code WEB directory.
So I thought of the API and downloaded the C:/Program Files/ndianzhuji/npointhost1.9.6/isapi/SUBDOMAIN. dll file. After a brief analysis, it is true that the encryption and decryption algorithm is in it.
But not hard. We don't need to work hard on reverse algorithms, just use the ready-made algorithms.
Php has no permission on the directory C:/Program Files/ndianzhuji/npointhost1.9.6/web/and asp, but aspx is used to find C: \ Program Files \ ndianzhuji \ npointhost1.9.6 \ web \ host_date Directory Writable
For decryption, we construct an asp file as follows: <%
 
Set iishost = server. CreateObject ("npoint. host ")
 
Silic = iishost. eduserpassword ("Login @ login @ J @ BH @ MILGFMGCHLKFH @ FAL @ MHB @ NNHLD @ OOAFLMLKBLOEAKFBKIN @ K @ EK @ login @ AGCEB @ FJIMHKKBCHHIALI @ B", 0)
 
Response. write silic
 
%> Www.2cto.com
Copy the Code to remove the MYSQL password, and finally obtain the MYSQL root Password yuchenwq, MSSQL sa password: yuchenwq
Even if his server has various protections, the highest administrator password of MYSQL and MSSQL will be known, and it will also hurt.

 
I read the registry using aspx and found that port 3389 was changed to port 9918.

 
The server is so weak that you can try it out if you are interested. But... Be honest

Author: YoCo Smart from: Silic Group Hacker Army BlackBap. Org