Record a tortuous N-point VM Elevation of Privilege

http://www.bkjia.com /199.36.7.20.( both of which are used to replace the target station) it is often easy to use shell. Here we will see it. You are welcome to discuss the shell method. Permission escalation starts. Upload the following horses because the test is available!http://www.bkjia.com /Inc/yueyan. php Trojanhttp://www.bkjia.com /Inc/yueyan. asp horsehttp://www.bkjia.com /Inc/yueyan. aspx horsehttp://www.bkjia.com /Inc/coon. aspx works well in one sentence. Aspx is used to execute commands with a kitchen knife. Commonly used tools are used to transmit exp logs to collect information using a trojan scan directory: used aspx horse to collect information system information> OS name: Microsoft (R) Windows (R) Server 2003, Enterprise Edition system type: x86-based PC127.0.0.1: 21 ................................. Open127.0.0.1: 3306 ................................. Open can consider mysql Elevation of Privilege 127.0.0.1: 3389 ................................. CloseServer Ip: 199.36.77.9: 80 Terminal Port: 8819 Remote Desktop Port user (Group) information> N-point virtual host Management System V1.9.6-management account ND19_qoiso one of the users first looks for readable and writable, and then continues to collect information: c: \ windows \ Temp \ readable and writable file, but after uploading it, I found that the file cannot be executed, and finally found the executable file in E: \ RECYCLER \. Why is this? I am not sure. Forget daniel's science. (Finally, we uploaded cmd and Brazilian barbecue E: \ RECYCLER \ cmd. comE: \ RECYCLER \ Churchill co.com to try Brazilian barbecue ..... Failed/Churchill/-> Couldn't run command, try again! You cannot query dir c: \ windows \> a.txt & (for % I in (KB952004.log KB956572.log KB2393802.log kb25000005.log %kb2160329.log KB970483.log kb212%1.log %%%kb958644.log) do @ type a.txt | @ find/I "% I" | @ echo % I Not Installed !) & Del/f/q/a.txt: access is denied, and systeminfo cannot be used to find any unpatched patch. Directly upload these exp (which looks like 7 exp) is equally fruitless. It seems that I forgot one thing: Point N virtual host Management System V1.9.6-management account point N virtual host .... Search for the powerful forum. There are two topics in this regard. One is a paper, and the other is an estimate of a video screen (because it was a theme in February, it uses a download link of 115, and it cannot be downloaded) I have probably learned that the Elevation of Privilege of the VM on the N-point virtual host cannot be implemented step by step ........ What new users like me should avoid most is step-by-stepYou must have your own ideas.There is nothing in this directory, and it is not possible to download the database to view the root password or something. Therefore, the conventional n-point host fails to escalate permissions. Return to information collection, port 3306, mysql Elevation of Privilege. Mysql requires a root password for privilege escalation. The common method to find a password is to find it in the configuration file of the website, and find it in the mysql installation directory. Because there are too many websites, run the set command in the installation directory to find the mysql directory. No access permission. The type command is invalid. Try again on the website. By using the file search function of Trojan, each Trojan should have a function. Search for the two keywords conn and config.



The three configuration files are found. E: \ www \ www.2cto.com \ inc \ conn. asp E: \ www \ www.2cto.com \ inc \ config. asp E: \ www \ my51a6y9n.dfshou.com \ inc \ config. after asp is opened, all access databases are configured.
I thought it was another website configuration file I haven't found out, The results roughly browsed the website, in addition to the http://my51a6y9n.dfshou.comhttp: // www.bkjia.com/these two sites have configuration files, the others only have two files. An index.html and an nkddcnfmonoclonal. js website configuration file failed .... Originally, I wanted to use the off-star 0-day to check whether the n-point host is common. Continue to find a way: in IIS probe> found these things 199.36.77.9: 8090: C: \ web \ webfiles \ phpMyAdmin-3.4.7199.36.77.9: 80: C: \ web \ webfiles \ phpinfo199.36.77.9: 2896: c: \ Program Files \ Common Files \ Microsoft Shared \ Web Server Extensions \ 50 \ isapi \ _ vti_adm
The first one is phpmyadmin, which is used to manage mysql databases. Try to access 199.36.77.9: 8090 and cannot access Phpmyadmin. You should configure this root password libraries \ config. default. php and directory under the file is configured root to view this file, in the notepad search rootC: \ web \ webfiles \ phpMyAdmin-3.4.7 \ libraries \ config. default. php has recently discovered that it is a poor character. What do you do if you do not configure phpmyadmin to install this !!!! Speechless. Continue to check the remaining two directories and find that they are not available .... Cannot be lifted? Go to IIS probe> Search for these websites and find that no mysql connection is configured for all websites. Okay, continue browsing. To the Elastic Block Storage (edisk. Z-Blog_1_8_Walle_100427Discuz_X2_ SC _GBK opened to see, found that the database has not been configured yet. After thinking about it, try again. It is a bit disheartened to use the search function of dama. Expand the search to the edisk and directory !!!! One by one view, one by one view ..... It is estimated that there are about 10 queries. It is estimated that God cares. Finally, some items are found in the discarded website files on the server. E: \ a \ www. xptm. tk \ wp-config.php configuration file: define ('db _ name', 'mywp007 ');/** MySQL database username */define ('db _ user ', 'root');/** MySQL database password */define ('db _ password', 'c1x2p3 ′); /** MySQL hostname */define ('db _ host', 'localhost'); now you can try to use the database account to log on to MySQL 3389. I often encounter the same password. The password is confirmed to be only one character different. Www.2cto.com continues to escalate permissions. using udf to escalate system permissions, you can add the user yueyan to the server:



The server configuration is too low and you don't want to sniff anything .... Let me give it to the girl... In fact, in the end, I found that iis5 seems to have done cdn www.20.5.com 59.188.21.20. How can I find this ..... No matter what you do, you have to go to the level in five days to start, and you will not penetrate below.