Getshell + Privilege Escalation Analysis

Getshell + Privilege Escalation Analysis

Today's military training, and then I had time to watch the station for a while at night. As a result, my buddy asked me to stay with him for a day. In fact, I spent the whole process with my girlfriend and watched it on my cell phone, later, I used my computer to sort it out and promised to send it to Yin Cheng.


1) this station is a ground station. It already has the background address and the background account password. Let's first look at how to build the platform.


Build platform: IIS6.0
When we break through the background upload, We will combine the parsing vulnerability of iis6.0 to getshell.
2) OK, go to the upload point


There are two upload points: ewebeditor and website editor. Here we will try to break through the editor that comes with the website.
3) Try to directly upload the asp script file


Failed. Almost no website can directly upload script files.
4) packet capture breakthrough


After you upload a jpg image to the server, the server renames it. Then use the killer technology.
5) 00 Truncation


The 00 truncation is invalid. The upload result is still in jpg format. It seems that packet capture cannot break through.
Based on the past few days of experience, a website may have several different upload points. I will look for them again, maybe there will be a breakthrough.
6) Accidental Detection


I found a place where I uploaded the software, and then I tried to upload the asp script file directly. Try again.


Haha, 00 is truncated successfully.
Visit to see if there is any resolution.


Perfect. Hey, click the kitchen knife link.


[Elevation of Privilege]
1) Upload An aspx Trojan
It was too slow for the kitchen knife to raise the right. I entered whoami for a query for 5 minutes. I decided to upload a Trojan and directly upload An aspx file. The aspx permission is relatively higher, if aspx is not supported before asp upload


Perfect resolution.
2) Try cmd.


Extended.
3) whoami


4) view patch information


Note two points here: a. Server Version 2003x86 is a 32-bit System
B. Server patches: more than 600. Try pr.
5) pr elevation of exp

Well, it is indeed the Intranet, and the Intranet can forward the link. I have demonstrated it here, and I have to go to military training.
[Summary]
1. Try uploading points:
This is because the big brother was trying to demonstrate what he wanted. I sorted it out. Although I proposed to look at other upload points, when he clicked upload software, I think the interface is the same as uploading images, and I think it cannot be broken through. If it is me, I will not try to upload the software upload points. Here I learned: All upload points (except for the editor) try packet capture.
2. IP Address:
Some Intranet ip addresses start with 172, which may be even more amazing in the future. In the future, the ip addresses displayed in ipconfig will use the ping command to check whether the ip addresses can be connected. This saves time.