Further exploitation and Security Prevention of hzhost vm in Elevation of Privilege

1. C: There is an ftp logon record left by the hzhost host in windowsemp. Username and password
2. It uses hzhost to obtain the highest permissions of the System host.

The mssql sa password, mysql root Password, and serv-u administrator password of the hzhost host are all stored in the registry. Location in

HKEY_LOCAL_MACHINEsoftwarehzhostconfigsettingsmysqlpass
HKEY_LOCAL_MACHINEsoftwarehzhostconfigsettingsmastersvrpass

After hzhost's own encryption method, like eLVClO4tzsKBf # dee52443a3872cc159

Such a string. However, it can be restored in the hzhost background! If you get the sa password or root password, the highest permission is in sight! If w. s is disabled. Let's upload the aspx Trojan!

After an asp Trojan is uploaded. You can see the database connection string under incsconstr. asp. Connect to the database. Run

SELECT * FROM [hstlst] statement. You can see many host records

The password of h_ftppass is similar to the encrypted string of the hzhost host. That's right. The host management password is encrypted by himself! In the host management area

The plaintext password is displayed. It indicates that he restored it again. Do you understand? We first use the aspx Trojan to export the root and sa Password Encrypted strings of mysql and mssql.

We use this statement to modify the host password of another user.

UPDATE [hstlst] SET h_ftppss = 'apww3j4zmak83lhmbof9fc298b1d3d0a' WHERE h_ID = 10000471

Go back and check the host password. (Converted to plaintext at this time)

The root password is sphil_070921. Note: Due to various restrictions. The screenshot I cut may not be perfect. However, this method is absolutely feasible!

Security Solution:

Don't talk about it separately. Let's take a look at the above description.