Web
Nmap discovered a Web server on the target port 8082
The running service is H2 database http console
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/jacko]
└─$ curl -I -X OPTIONS http://$IP:8082/
curl: (52) Empty reply from server
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/jacko]
└─$ curl -I http://$IP:8082/
curl: (52) Empty reply from server
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/jacko]
└─$ curl -H 'Priority: u=0, i' http://$IP:8082/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
Copyright 2004-2019 H2 Group. Multiple-Licensed under the MPL 2.0,
and the EPL 1.0 (http://h2database.com/html/license.html).
Initial Developer: H2 Group
-->
<html><head>
<meta http-equiv="Content-Type" content="text/html;charset=utf-8" />
<title>H2 Console</title>
<link rel="stylesheet" type="text/css" href="stylesheet.css" />
<script type="text/javascript">
location.href = 'login.jsp?jsessionid=367e3d27811ec0cd6532ed8f26f88646';
</script>
</head>
<body style="margin: 20px;">
<h1>Welcome to H2</h1>
<h2>No Javascript</h2>
If you are not automatically redirected to the login page, then
Javascript is currently disabled or your browser does not support Javascript.
For this application to work, Javascript is essential.
Please enable Javascript now, or use another web browser that supports it.
</body></html>/Practice/Jacko/2-Enumeration/attachments/{0D78F793-8854-4407-942D-89C6DDC59199}.png)
Redirected to a login page for H2 HTTP console
Bypassing Auth
/Practice/Jacko/2-Enumeration/attachments/{373308B0-1155-4B90-B92A-D4D57CA8705A}.png)
Creating a new database reveals the version information; H2 1.4.199
/Practice/Jacko/2-Enumeration/attachments/{38385732-7977-4611-B2F9-1994251AA8C6}.png)
Arbitrary file read via the FILE_READ function
Vulnerabilities
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/jacko]
└─$ searchsploit h2 1.4.
---------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------- ---------------------------------
H2 Database 1.4.196 - Remote Code Execution | java/webapps/45506.py
H2 Database 1.4.197 - Information Disclosure | linux/webapps/45105.py
H2 Database 1.4.199 - JNI Code Execution | java/local/49384.txt
---------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No ResultsIt would appear that the target H2 instance suffers from multiple vulnerabilities, including CVE-2021-42392