Permission escalation using PCAnywhere12

Text/Figure Mermaid JiPCAnywhere is no longer familiar with remote control software. After obtaining the WebShell, we need to raise the right. If we can smoothly jump to "C: Documents and SettingsAll UsersApplication DataSymantecpcAnywhere", we can download the CIF file, then you can use the relevant tools to read the password. However, in the recently released PCAnywhere12, things are not that simple, and its CIF file cannot read the password, even if it is garbled, as shown in 1. Figure 1 of course, Symantec cannot be expected to fix this problem because it has been around for a few years, and we do not know how many servers have fallen. Unfortunately, things have not ended. Next I will introduce you to the solution. The latest PCAnywhere12.1 version is tested here. First, we need to make it clear that in this version, when we create an account: documents and SettingsAll UsersApplication DataSymantecpcAnywhereHosts to generate the relevant CIF file instead of "C: Documents and SettingsAll UsersApplication DataSymantecpcAnywhere". Suppose I have created the admin account here. The problem is that when I install PCAnywhere12.1 on Windows XP SP2, "C: Documents and SettingsAll UsersApplication DataSymantecpcAnywhereHosts" permission 2 shows that the Users group can control this directory. Later, when I installed Windows Server 2003, the permission for the "C: Documents and SettingsAll UsersApplication DataSymantecpcAnywhereHosts" directory was even more shocking. As shown in 3, everyone could control this directory. Figure 2 Figure 3 as we all know, the permission of the Internet Guest account is guests, which is the permission of the ASP Trojan. What about the ASPX Trojan? As shown in figure 4, the access account used by it is ASPNET. To run the ASP.net program, you must create the aspnet_wp process. ASPNET is the user used to create this process. That is to say, the access permission of your ASP.net program is determined by the ASPNET permission. This is the user created when the. Net Framework is installed. The purpose is to use a user with less permissions to execute the aspnet_wp process to enhance security. ASPNET is affiliated to the Users group, as shown in Figure 5. Therefore, the permissions of the ASPX Trojan are higher than those of the ASP Trojan. If we upload the prepared CIF file to the "C: Documents and SettingsAll UsersApplication DataSymantecpcAnywhereHosts" directory, we can create an account. It's so exciting! Figure 4 Figure 5 later I used the Users account on Windows Server 2003 to easily transfer the prepared CIF file to C: Documents and SettingsAll UsersApplication DataSymantecpcAnywhereHosts. To prepare this CIF file, you only need to install a PCAnywhere on your machine and create an account. You can find the corresponding CIF file in "C: Documents and SettingsAll UsersApplication DataSymantecpcAnywhereHosts, it contains the username and password you set up. The username and password of my account here are all renyuji. you can log on to another user's machine, as shown in figure 6, so that you can escalate the permission. Figure 6