Serv-U Privilege Escalation

Author: Intruder Source: evil baboons China

At the requirement of the "black guest XFile", ice blood should be moved to the internal storage and cannot be published because this article has been published in the book!

Since the serv-u privilege limit was lifted, the Family held su.exe to cover the Web bag. The number of bots increased significantly and the quality increased. After the methods in the "Win2000 Virtual Host Intrusion Law" were widely spread, we started to have some high-bandwidth, large memory, and even the best bots with N CPUs, congratulations! ^_^ (audience: same joy ). However, we also met the old chicken that used n to fix the Serv-U Local Privilege Escalation Vulnerability and could not improve the privilege, today I will discuss how to catch these bots with my real intrusion.
1. A Network Office System

One month of cool and cool, I once again opened the school website of our high school. On the homepage, how nice they are to blow the school's network construction, the more I see it, the more depressing it is. I didn't even let me in the data center for three years at school, and even remember that I had no data center. I thought, why should I give them a wake-up reminder? Alas, I have taken the lead in saving the world, who told me to be handsome? ^_^ (the audience started preparing for the bad eggs, fried tomatoes, and so on ).
I immediately took out the X-SCAN check all options to a large scan, the server is Windows2000 Advanced Server version, the server only opened port 80, 21, 25, 3389, the server should have _ blank "> firewall, or, if TCP/IP filtering is enabled, no vulnerability scan is available, and SP4 + is the latest patch. Such a server should not come out of the network management configurations of our senior high school. This is a bit difficult to look down on, but it should also be a fact. I checked the IP address, which is from Beijing Unicom. It seems that the VM is used.
Open the animation now, as shown in figure 1 ). This tool is very powerful. First, you can use whois.webhosting.info to query all domain names bound to an IP address, and then import the software to automatically query the databases of pages or forums and article systems that can be uploaded, for example, the upload page and mobile page of dvbbs 7.0, the vulnerability page of qingchuang article system, and the mobile network database. You can use the vulnerability exploitation program that comes with the software to directly upload the ASP Trojan. I am very disappointed with the scan results. This server may be newly opened. There are only a few websites, and there is no Upload Vulnerability.

Figure 1

When I was depressed, I opened the homepage and loose it. The homepage was written in pure HTML. Only one record was written in ASP, and the latest version of "fengyue record" was used. I tried weak passwords and made a mistake. The database address of the default "fengyue record" is marked, but the database address is not changed, but the anti-download process is implemented.
Without any troubles, the promotion industry is downloading, and downloading zookeeper takes legal disclaimer to protect the quality of the legal proceedings against mongodmin. The password prompt is "0000". I also lost "0000" at will. Haha, correct. Go to the Management page (figure 2 ). After going in, I felt like I had introduced the A4 network teaching system in XFile. I tried uploading the page if I could upload anything, I saw a "report file" in "Administrative Management" and found an ASP Trojan 2005 at the top of the ocean. The upload was successful, why can't I find any place to transfer to? (figure 3 ). I found a "personal mailbox" and wrote a letter to myself. The attachment is directly attached to the top 2005 of the ocean and opened the inbox. Haha, ASP attachments can be opened directly, obtain webshell (figure 4 ).
Later, the test found that there are more than N office systems on the Internet. Enter "Enterprise Network Office System" in Baidu and click OK. Most of the questions and answers prompted with the default password just now can be entered, get webshell soon. You can try it.

Figure 2

Figure 3

Figure 4
2. Desperate permission escalation

With webshell, you can modify the home page of the website to remind the school administrator. However, during use, it is found that the host is very fast, you can download and scan bots. Haha, you can also grade QQ, And you are excited and want to laugh.
Since I wanted to turn him into a zombie, my suffering began. I started my desperate permission escalation journey.
Enter the net user in webshell. The top ASP Trojan prompts "file opening failed" "No permission ". It seems that the access to cmd. EXE by guest is restricted, so we can upload it to cmd. EXE by ourselves. Upload successful. Then customize the cmd. EXE path in the ASP Trojan on the top of the ocean, but still cannot execute the CMD command. Then let's look at C: /winnt/system32/inetsrv/Data does the Directory have the write permission? This directory of Windows2000 is fully controlled by everyone by default (For details, refer to "XFile 12" a difficult Virtual Host Intrusion "), CMD upload succeeded. Execute the Net start command. FTP is actually using Serv-U. I have a sneer. Hey, blame you for your hardships. After that, the serv-u Privilege Escalation program su.exe was uploaded to run C:/winnt/system32/inetsrv/data/su.exe "net suer intruder $0123123/Add" with hope ". The result returns the following result:
<220 Serv-u ftp server V5.0 for Winsock ready...
> User localadministrator
<331 user name Okay, need password.
**************************************** **************
> Pass # l @ $ AK #. lk; 0 @ P
<530 not logged in.

Figure 5

The Administrator has fixed the Serv-U Local Privilege Escalation Vulnerability. He modified the default sverv-u Administrator name or password, and the permission escalation will inevitably fail. Depressed!
We all know how difficult it is to use a vulnerability on Windows + SP4 to escalate permissions. It is so difficult to make such a good hole that it is blocked, unwilling ...... 55555 ......
Continue to slide in the host, and find that there are no redundant services on the host. The replacement of services is basically ruined. Using ASP, which has been circulated on the Internet, directly add the administrator user's code and try it.
After that, I went up and slide every day, that is, there was nowhere to go. Basically all the methods I could use were used, so I had to take the dagger and carry the explosive package to directly ask the Administrator for the password.

3. rippling

When I dreamed about it for a while, I always dreamed that I could easily escalate the permission to win it. Then I used winhex to change the Serv-U file and add the local permission Escalation Vulnerability, then the bots are my own. I can use QQ and QQ agents. Haha, haha, haha ...... (I was beaten n + 1 times by my roommates for a long time in the middle of the night.) Suddenly ...... hexadecimal ...... modify the default username ...... password ...... I thought of it! I woke up and was so excited that I couldn't sleep. (The next day was so miserable. During the exam, I almost fell asleep when I was sleepy ).
Suddenly I figured out something. The Administrator fixed this vulnerability by setting the original password in the Program # l @ $ AK #. LK; 0 @ P is changed to something else, so the password he changed is still in the program. If I can get it down, I will use winhex or xhex to serve the sentence, do not believe it.

The second day of the archaeological literature generation, the question was old and smelly. After a while, I ran to the server (the audience wore black cloak and sunglasses, I thought I was Neo, cold ......), immediately open the ocean top 2005 on the server, and directly view the C:/program files/Serv-U/directory. After reading the file, find servuadmin.exe and download it with "stream download" at Ocean top 2005. Excited... the nosebleed is out ......

Start servuadmin.exe with xhex, press Ctrl + F, enter localadministrator, and click search. Haha, the password is the same as "localadministrator", and the password is "85457845152145 "! This happens that the Administrator has not modified the user name. How can we search for the modified User Name? In fact, it works well. Search for "localadministrator" for "servuadmin.exe" of "normal serv-uin the same region", locate the "region" folder, and then open the first "servuadmin.exe". Press Ctrl + G to go to the address to find the user name and password. (Figure 6) What if the Administrator has the port? This is simple. Let's look at netstat-An in webshell and find Port 127.0.0.1: XXXXX. You can guess it. In addition, an error may occur when you modify the Management port. If you modify a few of them, the error cannot be managed.

Figure 6

With the password, everything went smoothly. My head was stupid, so I started to use a stupid method. Upload nc.exeand su.txt to the server, and then C:/winnt/system32/inetsrv/data/nc.exe 127.0.0.1-P 43958 <C:/winnt/system32/inetsrv/data/su.txt

Su.txt contains the following content:

User localadministrator
Pass 85457845152145
Site Maintenance
-Setdomain
-Domain = myftp | 0.0.0.0 | 22 |-1 | 1 | 0
-Dyndnsenable = 0
Dynipname =
-Setusersetup
-IP = 0.0.0.0
-Portno = 21
-User = test
-Password = 123456
-Homedir = C :/
-Maintenance = System
-Ratios = none
Access = C:/| rwamelcdp
-Getusersetup

In this way, the server creates a new domain named myftp. The account is "test", the password is "123456", the user directory is "C:/", and the user permission is "Serv-U System Administrator. Create a new server in the local Serv-U, fill in the IP address of the server, fill in port 22, user name test, password 123456, but login fails. For some reason, the server may have used TCP/IP filtering or _ blank "> firewall, which does not allow access to non-authenticated ports. If this port is changed to 21, it will not work. I tested two servers, but it failed for some reason.
Later I thought that since I had a password, I directly changed the password in the Privilege Escalation Vulnerability exploitation program "# l @ $ AK #. LK; 0 @ P "is not enough for the password I got! Find out the code used to exploit this Local Privilege Escalation Vulnerability, change the password, and compile the code successfully. Try it on that server! Get system permissions! I immediately added a user, and the zombie has already opened the terminal service, which is very convenient!
The intrusion is over, and the rest is cleaning the battlefield.
After logging on to the zombie through the terminal, we found that the stuff submitted by NC was effective. A new myftp domain exists in the server, and the connection failed because _ blank "> firewall was installed on the zombie. (Figure 7)

Figure 7

Later, I thought that many of my friends didn't install C language on their machines. It is inconvenient to use it. I wrote a graphical interface configuration program (figure 8) using BCB, which I just learned! Secret, find "localadministrator" and "# l @ $ AK #. lk; 0 @ P", and change it to your own password.

Figure 8

Iv. post-event thinking

How can I fix this Serv-U Local Privilege Escalation Vulnerability? This simple modification of the default password in the file is obviously insecure. We can leave the Internet Guest Account Serv-U with the permission to install directory browsing, so that we cannot download the program to find the password (figure 9 ). However, this vulnerability can still be exploited, such as local user privilege escalation.

Figure 9

Think about it, because Serv-U runs with the system permission by default when starting a service, so it is possible to be elevated by permissions. If we change the starting user of Serv-U to a user group, there will be no so-called permission escalation. (Figure 10) However, this low-Permission user must have full control over the Serv-U installation directory and the directory or drive letter that provides the FTP service. Tests show that Serv-U started by users in common groups cannot add or delete users. Everything else works.

Figure 10

I am intruder, I am working hard, I hope to join e.s. T as soon as possible, you have any questions and questions can write to me, e-mail: netintruder@163.com, we will communicate and make progress together