Jacko
Last updated
Last updated
Source: Proving Grounds OS: Windows Community Rating: Hard
I started with the usual autorecon and was hit with a slew of open ports: 80, 135, 139, 445, 5040, 8082, 9092, 49664 -> 49669
I began with port 80 as usual, which presented an interface for the H2 Database Engine.
Checking online, I learned that H2 Database Engine has multiple vulnerabilities. Exploit DB with the ID, 49384 showed an exploit that allowed running Java code. I tried several automated PoCs with no luck. I kept searching for the correct method to interact with the engine, and it wasn’t until I checked port 8082 that I found the proper login page.
Using the default credentials, sa with an empty password, I was able to log in without issue.
Following the CVE details, I managed to run commands successfully.
However, when I attempted to upload my shell and get a reverse shell, nothing worked. I ended up reverting the machine over and over, and after a few frustrating hours away, the same commands worked on my return. OffSec servers, always keeping you on your toes.
I finally uploaded and executed my reverse shell using the following queries:
When I started checking privileges, running commands like whoami
failed with the error:
'whoami' is not recognized as an internal or external command, operable program or batch file.
After searching, I discovered that the %PATH% environment variable was missing some key defaults. The issue was fixed after running:
After that, checking privileges with whoami /priv
confirmed I had SeImpersonatePrivilege, a huge relief that opened the door for escalation. I checked systeminfo and confirmed the system was Windows 10 x64, so I opted for GodPotato x64. I verified the .NET Framework version by running:
which showed Version 4. Finally, I ran:
The first attempt failed for reasons I couldn’t pinpoint, but running GodPotato a second time succeeded, and I obtained a SYSTEM shell.
H2 Interface Discovery: Checking alternate ports (like 8082) can reveal key interfaces not visible on the default port and help you not waste your time.
Default Credentials: Always try the default credentials, here, sa with an empty password was all it took.
Persistence Pays Off: I don't know for this one, maybe hope that OffSec servers are having a good day?
Environment Variables: Ensure your %PATH% is correctly set to avoid command execution issues.
Privilege Escalation: Always check the privileges, Potatos are awesome!