New Idea of Elevation of Privilege with low permissions-personality

In the afternoon there was nothing to do. I went to the Forum to check whether there were any good technologies provided by Daniel. When I saw a friend asking for help, I started webshell, generally speaking, this site is a php site. aspx and asp can all be executed. The system is 2003. The aspx shell can execute some commands, however, there was no response when executing exp, and the execution of systeminfo was not echo, nor did we know what the patch was, nor did tasklist display back. Therefore, local overflow caused the issue to fail. Check the port information,

 

If 43958 is enabled and sevr-u that comes with aspxspy fails to be used for permission escalation, the default password should have been changed, and ports 1433 and 3306 have been enabled. Then, flip the database configuration file, first, check the configuration file of the target site.

 

 

After logging into the database and reading it, there are still a lot of databases. Suddenly we can see a mysql database,

 

Just click in, open the user table,

 

We can see the users and hash of all databases. The most prominent one is root. We copied the hash to crack it and did not crack it, I thought that the permissions of the database account to view mysql should not be too small. Let's look at the permissions of this account in the user table first. I can look at it and see that there are a lot of N, and the permissions are too big, let's take a look at the permission. We can see that both the account and password are empty, and the permissions are all Y. I thought about what the situation is. Now that there is a library, let's get connected to Bay,

The connection is successful. First, use mysql that comes with mysql to escalate permissions. First, check that the mysql version is 5.0. Export and export fail. If the mysql directory cannot be changed, try a professional udf, (To be honest, I have never used udfs several times.) the udf has been exported successfully, but an error occurred while executing the command. All kinds of attempts are incorrect. How can this be better, check whether the udf has a function to export files to the startup Item,

 

Then export bay, export requires machine restart, this time the first thought of is ms12-020, is not know do not fill, so read the registry, look at the 3389 did not open Ah or changed to other ports, the Registry read port is 8888, decisive with the ms12-020,

After checking that the website did not respond, wait a moment and the connection port 8888 is successfully logged on.