Jacko Proving Grounds Write-Up
SUMMARY
This write-up covers the Jacko machine from Offsec’s Proving Grounds, a Windows machine where an exposed database administration console provided unauthenticated command execution.
Port enumeration revealed an H2 database console running on port 8082, accessible without credentials. The identified version was vulnerable to remote code execution via Java payloads — by compiling and running arbitrary Java code through the console, system commands could be executed. This was used to download nc.exe via an SMB share and send a reverse shell.
The compromised user held SeImpersonatePrivilege, and GodPotato was used to escalate privileges. The resulting shell was unstable and did not display all command outputs, so a SAM and SYSTEM hive backup was performed instead. The files were transferred to the attacker’s machine, dumped with secretsdump, and the Administrator hash was used with psexec to obtain a stable shell as NT AUTHORITY\SYSTEM.
PATH TO FOLLOW
- Reconnaissance & H2 Console Discovery on Port 8082
- Unauthenticated Access & Java RCE
- Reverse Shell via
nc.exe - SeImpersonatePrivilege Identification & GodPotato Execution
- SAM/SYSTEM Hive Backup & Hash Dump
- Shell as NT AUTHORITY\SYSTEM via psexec
Due to OffSec’s policy on content sharing, these write-ups will provide hints only rather than full solutions.I know, boring stuff.