Privilege Escalation manual for windows Virtual Hosts

Currently, most websites in China are built on various virtual host systems, with fewer and fewer independent servers.
Therefore, once you obtain the highest permissions of the host, you can master a large number of sites, and the virtual host is so abnormal, it is basically difficult to escalate permissions. Therefore, this course aims to summarize and share with you how to teach people and fish.
0x00 Preface
0x01 what is a VM?
0x02 Shenma is safe Mode
0x03 about elevation of Virtual Host
0x10 External host Elevation of Privilege
0x11 how to identify out-of-stars
0x12 general out-of-stars elevation
0x13 external readable and writable
0x14 other ideas out-of-the-stars Elevation of Privilege
0x20 VM Elevation of Privilege
How to identify VM 0x21
0x22 sensitive directory and Registry
0x23 skills and experience
0x30 permission escalation for Western Digital
0x31 how to identify Western Digital
0x32 stores sensitive information
0x33 experience
0x40 N point VM Elevation of Privilege
0x41 identifies N-point VM
0x42 General Elevation of Privilege N point VM
0x43 related information
0x50 privilege escalation for other common Virtual Hosts
0x51 xinnet VM
0x52 ZKEYS VM
0x53 other unknown VM
 
0x00 Preface
 
0x01 what is a VM?
 
　　
I remember that when I first started to play penetration, many ox mentioned "another virtual host" in the group ". Curious about what a VM is. Here is an introduction. Encyclopedia explains that each "host" has an independent domain name and an independent IP address, which is what we call "space ". What we often see is that each host on a VM has an independent domain name. In general, there are multiple domain names on one server called virtual hosts (this is a little far-fetched ). Common VM management systems are those in the directory ~~~
 
0x02 what is Security Mode
Security mode is a common management mode for Virtual Machine management systems. Its principle is to use some settings in windows to control permissions.
How to determine the security mode? Generally, virtual hosts support aspx, but the function of aspx cannot be fully used in security mode. Let's take a look at the configuration in security mode:
　　
The web. config file to be set exists in:
The key part of C: \ WINDOWS \ Microsoft. NET \ Framework \ v2.0.50727 \ CONFIG \ is not modified by default.
 
 
Please note that trust level = "Full": Full is the Full permission, which is the default setting of the system. There is no restriction on the permissions. You can execute the aspx Trojan without restrictions on the function. You can use aspx to connect in one sentence.
Medium is configured as Medium. Most domestic virtual hosts are configured in this way. aspx ing exists in the application configuration in IIS, but no aspx code can be executed, in this way, the execution of the aspx code is completely cut off. High: the code access permission is High. In this case, you can execute the aspx Trojan, but the function is restricted. You cannot execute commands, view the registry, system processes, system services, or use IISSPY, error Page.
Therefore, in security mode, the judgment is generally based on aspx Malay judgment. Generally, iisspy cannot be used, and aspxcmd cannot be used,

 

<SecurityPolicy>

<TrustLevel name = "Full" policyFile = "internal"/>

<TrustLevel name = "High" policyFile = "web_hightrust.config"/>

<TrustLevel name = "Medium" policyFile = "web_mediumtrust.config"/>

<TrustLevel name = "Low" policyFile = "web_lowtrust.config"/>

<TrustLevel name = "Minimal" policyFile = "web_minimaltrust.config"/>

</SecurityPolicy>

<Trust level = "Full" originUrl = ""/>

 

The registry cannot be read, and a sentence, and many abnormal settings cannot be connected.
 

Here is an image of the error page on iisspy: