Re: clue on shell

[ArcSighter Elite <arcsighter () gmail com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Joshua Gimer wrote:
> On Mon, Jan 5, 2009 at 11:59 AM, Ricardo Mourato <ricardomcm () gmail com> wrote:
> > i've got a shell, but it is very limited, i'm trying to upload some
> > programs, in order to get a better shell and get admin rights
>
> You could also start the telnet service:
>
> sc start TlntSvr
>
> or
>
> net start TlntSvr
>
> Just be careful when performing your tests that you do not weaken the
> security posture of then system too much, the point is to determine
> high risk areas not create them.

I think Windows Server 2003 improved the security of tftp and other
dangerous services (at least in its access control). I say it over and
over again, a real pen-tester must know about post-exploitation
techniques. I think this post is not getting anywhere, they're many
ways. The interesting fact is that they're hundreds of papers discussing
the issue, so I don't know why he doesn't have a clue about it.
However, in the meantime, I know windows it's very poor on its default
configuration for post-exploitation (comparing to a "unsecured" unix
flavor which at least has perl in most cases), but as far as I know, if
you got a shell you got root in most cases.
I normally let people google, but today I'll try something different.

If you got a shell, then you have to provide us with the level of access
you've adquired, if it's the default then you won't be SYSTEM, but you
need to tell us.

Privilege Scalation, well, many ways, for example, you could abuse ACLs
of services or custom apps or give a try to anything similar to
uninformed's w32k.sys privilege escalation.

Post-exp (the list is far from complete, do the research):
1. executable uploading (debug, scr, vbs, hex dump, client-side scripting).
2. another web vuln (remote include, etc.)
3. privilege escalation (rev2self, win acls, vuln installed software,
w32k-like privilege escalation exploit).
4. backdooring (adduser, trojan-horsing, rootkits)
5. host trusts abusing.
6. enabled easy-filesharing abuse.
7. mitm attacks seeking for privileged services network traffic (hashes,
etc.).
8. smb-world attacks.

Give a try, as I said the list is far from complete, is a mind-flash,
but I think any of those 8 points will help you achieving your goal.

Honestly.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFJZM23H+KgkfcIQ8cRAk5zAKCMpRmDT6oVY3zEqPfEb5REykUVwACfYO4T
QK0KFfE0n0o7aYGfUUmblAQ=
=lzCX
-----END PGP SIGNATURE-----