HZHost virtual host Elevation of Privilege instance

Like the N-point virtual host elevation instance, this host is also a hacker. Today, someone asked if there is any unencrypted asp webshell. He said that because many encrypted webshells have backdoors, they will be put on the horse in a few days. It is better not to encrypt the webshell.
I said I was looking for a space to upload it. We downloaded it together. Then... I tried to find an asp space, and the server went down.

Many of the vulnerabilities in Elevation of Privilege on virtual hosts occur in setting directory permissions, which is no exception. First, I got webshell (this process won't be mentioned)
Although the server supports ASP, aspxand PHP, the permission settings are quite dead. I uploaded cmd.exe TO THE C root directory and still cannot execute the cmd command. This may mean that it is impossible to escalate the permission through overflow.
There are many types of Elevation of Privilege, such as overflow Elevation of Privilege pr, ms11-046 Elevation of Privilege, iis7 Elevation of Privilege and so on, these are overflow Elevation of Privilege, run an overflow program with users or other low permissions to obtain the SYSTEM permission. If the server cannot execute any exe program or cmd command, the overflow elevation of permission cannot be implemented.
Because the server itself has some SYSTEM-authorized services, such as anti-virus software, databases, and FTP software, this article is an example of using SYSTEM-authorized Elevation of Privilege.

The server supports asp, aspx, and php. Since cmd cannot be executed, you can only flip the Directory and scan the environment.
Scan serv-u to run the command, but the password is unknown. MySQL and MSSQL both have the system permission. The following describes the system-authorized service that is used to escalate permissions.
Php and asp cannot translate useful directories, but aspx can flip many directories.
Although these directories can be accessed, most important directories cannot be accessed, such as serv-u and mysql.
I found several folders such as "Duplicate Serv-u" and "Duplicate HZHost", but these folders can be accessed and list file directories, but cannot be downloaded. It does not seem to work.

But it's a dog's blood. Finally, we found that the database backup folder of the G disk (backup disk) can be accessed and files can be downloaded. So I downloaded the/mysql/data/mysql/user. MYD file and read the mysql hash.

 

The hash value of MySQL is * F0B9E1FEACB514724519B70583B6D887483E5192, And the plaintext xwr6826813 is obtained through decryption. External links are not supported. MYSQL version 5.0.x
Directly create user-defined functions

However, when a custom function is created to raise the permission, the system prompts that mysql. dll cannot be written to the system32 folder. It seems that the permission is still set for the directory. Depressing
Now, I have read the serv-u configuration file.
Run the command with the root account of mysql

1. Select load_file ('e: \ Serv-U \ ServUDaemon. ini ')

Note:
Failed to execute Can't get stat of 'e: \ Serv-U \ ServUDaemon. ini '(Errcode: 2)

This means that the upper-level directory of serv-u, that is, the root directory of the E disk, sets the permission. MySQL has no permission and cannot read it.

The Elevation of Privilege is deadlocked.

Since MySQL does not work, it is better to change MSSQL.
\ MSSQL \ Data \ master. mdf downloaded, but I thought about it again.
When MSSQL and MYSQL are put together, will the sa password of MSSQL be the same as the root password of MYSQL?
I tried to log on to the system, and the results were even worse.

Run the cmd command using xp_cmdshell.

 

The storage process is not found. Depressed. Sp_oacreate is the same as xp_cmdshell.
I searched from the Internet, but none of the solutions on the Internet can be used.
What is restoration? What is xp_cmdshell, or sp_oacreate?
Finally, I came up with a simple method:

1. Drop procedure sp_addextendedproc
2. Drop procedure sp_oacreate
3. Exec sp_dropextendedproc 'xp _ export shell'
4. Dbcc addextendedproc ("sp_oacreate", "odsole70.dll ")
5. Dbcc addextendedproc ("xp_mongoshell", "xplog70.dll ")

Www.2cto.comSince the prompt already exists, uninstall it first and then restore it.

 

Speaking of this, I think there is no need to talk about it later.

 

Author: YoCo Smart from: Silic Group Hacker Army BlackBap. Org