A difficult SU Privilege Escalation... (failure, for your understanding)

Author: enterer
Author's blog:Www.enterer.cn
Reprinted and retained
Latest 0-day
Http://www.virusest.com/post/57.html
Now let's take the shell method.
The default backend is admin/login. asp.
Go to the background to see where database backup is available. Well, it will be used later.



First look for the upload location, find it, first upload an asp .... Of course, it failed.



Then try IIS's latest parsing vulnerability. It's very successful. Pony uploaded it.



Then there's no problem with Dama.



Elevation of Privilege:

You can execute CMD and use the su search method.




Failed



Try Brazilian barbecue again. Khan has already been there.



The upload display type does not match. It's okay, but the upload was successful, but it was found to have been killed. Finally, I failed to escalate the permission with a kill-free account, so this cannot be achieved.



Now let's take a steady route. Collect information first (SU and Brazilian barbecue usually fail first, but the opportunity to escalate permissions is relatively small). We found that only the D disk and the root directory of the website can be accessed, and there is nothing to use. One winmail cannot be written, and cannot be entered into disk C. It is estimated that it cannot be replaced. (It was found that there are still several folders on disk C that can be accessed ).
Let's take a look at the SU version, which can be used if the version is small. Very good. There are many methods.



So let's see if the SU on disk D is running SU (I saw four or five su folders on a server, Khan). The version number is correct. You can confirm that this is the correct version.



I tried to use the unauthorized password to create an account. I downloaded servudaemon.exe but failed to download it directly. So I copied it to the root directory of the website (by the way, ServUDaemon. ini has no write permission)



Then use the software to query the password





A good password, so I was excited to raise the right .... The result is a failure ..... If the permission is revoked (su is enabled by default), the server switches to ServUDaemon. ini tries to find an account that can be cracked, and then uses the SU 0-day to give it full control over the C drive (later I thought that the SU software permission has been downgraded, it's useless if the account has higher permissions ). Turn ServUDaemon. ini to the end (one by one MD5 failure ....) I found that the account Khan and SU system permissions I just created using SU_FTP




The connection has been established directly using the cmd ftp, and the connection is successful.




Run the Privilege Escalation command again. The prompt is "successful". The result is still unsuccessful ..... Speechless



Finally, a full control permission for disk D is added. (dir on disk C cannot list directories.) The soft folder is writable, so a trojan is uploaded and
Dir
Cd c: soft
Quote site exec 1.exe
Not online .... Upload net.exe to the soft folder.
Quote site exec net.exe user enterer123456/add
Although the ECHO is successful but fails, I decided to give up here.
This article mainly refers to the failure of su's Elevation of Privilege. Although it fails, it also provides ideas and hopes that everyone will gain some benefits. There may be some confusion and errors in this article. I hope you can forgive me.