Penetration Testing mailing list archives
Re: [PEN-TEST] Expand right under Win2K
From: Complx1 * <complx1 () HUSHMAIL COM>
Date: Tue, 9 Jan 2001 20:10:59 -0800
maybe im mistaken, but the answers dont seem to match the question. then again, it could be the skill of others clouding my understanding. -understanding is relative nonetheless On recent pen tests this subject has been a major issue for two reasons. #1) unicode is still un-aged as a vulnerability #2) it does not allow full compromise in a one -two step like rds i regret i cannot offer a fully working scenario, because i do not have one as of yet. I would refrain from installing bo2k under all circumstances for the simple reason that any competent admin would have antivirus software running on the target server. Assuming weak firewall or no firewall , service enumeration could easily eliminate this possibility for those who might travel that route. I have tested cmdasp.asp internally , and found it an simple but *amazing* tool. it does not offer admin/system/authority level commands as far as i know or have experienced. I have put together a scenario in notes , to test in the future or at the first available time. I have tested once in a full pen test (only once) but the results were negative. There was every indication that it was a success, so this made it a high priority for internal testing at next available time in controlled environment. (my home lab is all w2k/nix and IIS5 =(( (babble mode off) Scenario requirements: Target server = NT 4.0 , IIS 4.0 , (patch levels will vary results) Remote Penetration exploit = unicode web folder traversal Local Escalation Exploit = LPC port request Using unicode exploit on target nt 4.0 IIS 4.0 server we use the extended information , tftp to upload your choice of netcat or the cmdasp.asp. Both spawned from unicode , via IUSR_blah permissions of web process. When netcat port is open , or cmdasp allows execution, issue tftp and upload the LPC PORT local exploit to the target server. (( information below taken from nmrc.org) The LPC exploit is identified by microsoft MS00-003 Their description of the exploit is as follows: ==================================== Todd Sabin's exploit of the bug mentioned in MS00-003 in January of 2000. Allows command execution as SYSTEM by a local user. Works on NT up through SP6. The compiled executeable can be found at http://nmrc.org/files/nt/hk-0.1.zip The microsoft information is here http://www.microsoft.com/technet/security/bulletin/ms00-003.asp In the legit pen test, i issued a copy sam to webpub via the lpc exploit. the output of exploit was positive however the file did not exist afterwards. Since this was remote test, i gave it one shot, and decided to keep moving down the list to the other bucket of toys they had for me to play with. But this is the working model im testing.. if anyone has a positive result or comment, even flame. do your thing.. its a free world. .complx1 At Tue, 9 Jan 2001 16:17:53 -0500, Paul Cardon <paul () MOQUIJO COM> wrote:
Charlie Rhodes wrote:We have a win2k where we have access to a cmd.exe with the rightsof theweb-server and we would like to obtain administrator rights. Alsowedon't have the rights to read the SAM files. We tried the well-known methdos under win NT 4.0 (like breaknt.exe, read from raw device) in vain.Do you have network (ftp) access? or floppy access? http://www.bo2k.com should do the trick. You'll probably want toconfigurethe server part off the machine, then load it on.This is the second time this question has been asked on the list and almost everybody misunderstands the problem. Let me restate it: Suppose a pen-tester has used the IIS Unicode vulnerability to download a back door such as a netcat listener to the target Win2K server and now has a remote cmd shell. At this point the remote shell is running with IUSR_<MACHINE> privilege since that is the privilege level that the Unicode vulnerability provides. Now, how does the pen-tester elevate privilege to Administrator? Any software that is downloaded (tftp, ftp, whatever) through the remote command shell will only run with IUSR_<MACHINE> privilege. Why do people think that downloading BO2K, netcat, or some such will magically elevate privilege? It doesn't. The only things that are possible are: 1) There is a known privilege escalation vulnerability that can be exploited with local unprivileged access. The attacker can download and run that code to gain Administrator access. 2) Brute force attack against accounts with local Administrator privilege. 3) Look for vulnerabilities in other systems that the web server can talk to. Some of those may expose Domain accounts with Administrator privilege on the web server or other systems that are trusted by the web server. There are others but Win2K does limit some of the nicer possibilities that existed with NT. -paul
Current thread:
- Re: [PEN-TEST] Expand right under Win2K, (continued)
- Re: [PEN-TEST] Expand right under Win2K Paul Cardon (Jan 09)
- Re: [PEN-TEST] Expand right under Win2K Julian Linton (Jan 09)
- Re: [PEN-TEST] Expand right under Win2K Nelson Brito (a.k.a. stderr) (Jan 10)
- Re: [PEN-TEST] Expand right under Win2K Paul Cardon (Jan 10)
- Re: [PEN-TEST] Expand right under Win2K Tamas Foldi (Jan 10)
- Re: [PEN-TEST] Expand right under Win2K Julian Linton (Jan 11)
- Re: [PEN-TEST] Expand right under Win2K Nelson Brito (a.k.a. stderr) (Jan 11)
- Re: [PEN-TEST] Expand right under Win2K Nelson Brito (a.k.a. stderr) (Jan 11)
- Re: [PEN-TEST] Expand right under Win2K Paul Cardon (Jan 09)
- Re: [PEN-TEST] Expand right under Win2K Pascal C. Kocher (Jan 10)
- Re: [PEN-TEST] Expand right under Win2K Nelson (Jan 11)