PG Jacko
The H2 Database stands out. I visit and automatically login. I note the H2 Database version (1.4.199). I see a searchsploit exists for it. https://www.exploit-db.com/exploits/49384 Copying and pasting the commands, allows for remote execution.
Getting User on the box is easy and takes less than an hour. Priv esc I couldn't figure out myself. At all.
At least failing at priv esc made me install Visual Studio to compile these Windows executables on my own !! I can generate x64/x86 exploits from .sln files now. Before I was lazy and didn't really need this. But its not that hard. PrintSpoofer.exe used to work on this box, but not anymore. I compiled WSuspicious too. Offsec is pretty good at locking down unintentional priv esc routes.
The answer is a program within Program Files (x86) called PaperStream.
Lessons Learned
- Check the Program Files and Program Files (x86) folder for any unusual programs.
- Installed Visual Studio to compile code. No longer need to solely rely on Github binaries.
- Discovered PrintSpoofer.exe for Win 10, Win Server 2016, 2019
- Never seen H2 Database before. Its a Java SQL database.
To Do
- Try to get PrintSpoofer working on one machine.
- Try out SweetPotato.
Comments
Post a Comment