Ideas about Elevation of Privilege

Author: Knife

1. Find Writable Directories

This is very important. The writable directories outside of the stars have actually summarized the toast. However, it has been updated recently outside of the stars...

C: 7i24. The old comiissafelog is writable and can be executed, but the new is writable but cannot be executed .. We recommend that you change the cmd suffix to src, txt, and com for execution.

I believe you have collected other writable directories. I will not talk about them here. Second, the host of huazu can be used to kill in seconds in the registry.

Except for the stars, you can find them and execute temp successfully,

Ii. Attacker Elevation of Privilege and other types of Elevation of Privilege and sensitive files

Then, let's talk about how to rebound shell and some famous files. Find the config configuration files such as root sa and don't try again ..

C: Program Files mysql directory su directory and some unusual firewalls, can obtain sensitive information

Next, if your mysql account has read and write permissions, we suggest you download some sensitive files and drop some sensitive files.

Ps: A lot of people know about it. Don't ban me to show it to your side dishes.

: Mysqldatamysqluser. MYD // store the database connection password in the mysql. user table

Mysql root address:

In addition to the shortcut keys in the program, you can also find the registry in the mysql path.

Here is the path for everyone.

HKEY_LOCAL_MACHINESOFTWAREMySQL AB
HKEY_LOCAL_MACHINESOFTWAREMySQL ABMySQL Server 5.0
HKEY_LOCAL_MACHINESOFTWAREMySQL ABMySQL Server 5.0 Location
HKEY_LOCAL_MACHINESOFTWAREMySQL AB ': This is found out outside of the stars, and other users can find it by themselves,
After downloading the three files in the user table, we recommend that you use wamp to set up the environment, put the data under mysql, and create a new one ..
Then, use phpmyadmin to view the root password and go to iis5 to crack it.

C: Program FilesRhinoSoft. comServ-UServUDaemon.ini // stores the VM website path and password
C: Program FilesServ-UServUDaemon.ini
C: windowsmy. ini // MYSQL configuration file
C: windowssystem32inetsrvMetaBase. xml // IIS configuration file
C: windowsepairsam // stores the password for the first installation of WINDOWS.
C: Program FilesServ-UServUAdmin.exe // versions earlier than serv-U administrator password stored here
C: Program FilesRhinoSoft.comServUDaemon.exe
C: Documents and SettingsAll UsersApplication DataSymantecpcAnywhere *. cif File

Iii. sensitive information about the Registry

HKEY_LOCAL_MACHINESYSTEMLIWEIWENSOFTINSTALLFreeHost. We all know that the external directory is cracked and the sa cannot be connected. You can try the social engineering root and remote
HKEY_LOCAL_MACHINESOFTWARE is simple. It is very powerful to find sensitive files here .. For example, su and mysql can all be found here ..

List the following items:
HKEY_LOCAL_MACHINESOFTWAREMySQL AB mysql registry location
HKEY_LOCAL_MACHINESOFTWAREHZHOSTCONFIG location of the audience host
HKEY_LOCAL_MACHINESOFTWAREcat softserv-u serv-u location

4. Summary of Elevation of Privilege.

Do not be afraid to see that the ws component is disabled. In fact, it is also good for you to find sensitive files.